Sec. 50107. Improving cybersecurity of small entities
1,064 words·~5 min read·
/bill/117/hr/4521/pcs/section-50107A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
In this section: The term Administrator means the Administrator of the Small Business Administration. The terms annual cybersecurity report , small business , small entity , small governmental jurisdiction , and small organization have the meanings given those terms in section 2220D of the Homeland Security Act of 2002, as added by subsection (b). The term CISA means the Cybersecurity and Infrastructure Security Agency. The term Commission means the Federal Trade Commission. The term Secretary means the Secretary of Commerce.
Subtitle A of title XXII of the Homeland Security Act of 2002 ( 6 U.S.C. 651 et seq. ) is amended by adding at the end the following: The term Administration means the Small Business Administration. The term Administrator means the Administrator of the Administration. The term annual cybersecurity report means the annual cybersecurity report published and promoted under subsections
(b)and (c), respectively. The term Commission means the Federal Trade Commission. The term electronic device means any electronic equipment that is— used by an employee or contractor of a small entity for the purpose of performing work for the small entity; capable of connecting to the internet or another communication network; and capable of sending, receiving, or processing personal information. The term NIST means the National Institute of Standards and Technology. The term small business has the meaning given the term small business concern under section 3 of the Small Business Act ( 15 U.S.C. 632 ). The term small entity means— a small business; a small governmental jurisdiction; and a small organization. The term small governmental jurisdiction means governments of cities, counties, towns, townships, villages, school districts, or special districts with a population of less than 50,000. The term small organization means any not-for-profit enterprise that is independently owned and operated and is not dominant in its field. Not later than 180 days after the date of enactment of this section, and not less frequently than annually thereafter, the Director shall publish a report for small entities that documents and promotes evidence-based cybersecurity policies and controls for use by small entities, which shall— include basic controls that have the most impact in protecting small entities against common cybersecurity threats and risks; include protocols and policies to address common cybersecurity threats and risks posed by electronic devices, regardless of whether the electronic devices are— issued by the small entity to employees and contractors of the small entity; or personal to the employees and contractors of the small entity; and recommend, as practicable— measures to improve the cybersecurity of small entities; and configurations and settings for some of the most commonly used software that can improve the cybersecurity of small entities. The Director shall ensure that each annual cybersecurity report published under paragraph
(1)incorporates— cybersecurity resources developed by NIST, as required by the NIST Small Business Cybersecurity Act ( Public Law 115–236 ); and the most recent version of the Cybersecurity Framework, or successor resource, maintained by NIST. The Director may include and prioritize the development of cybersecurity recommendations, as required under paragraph (1), appropriate for specific types of small entities in addition to recommendations applicable for all small entities. In publishing the annual cybersecurity report under paragraph (1), the Director shall, to the degree practicable and as appropriate, consult with— the Administrator, the Secretary of Commerce, the Commission, and the Director of NIST; small entities, insurers, State governments, companies that work with small entities, and academic and Federal and non-Federal experts in cybersecurity; and any other entity as determined appropriate by the Director. The annual cybersecurity report, and previous versions of the report as appropriate, published under subsection (b)(1) shall be— made available, prominently and free of charge, on the public website of the Agency; and linked to from relevant portions of the websites of the Administration and the Minority Business Development Agency, as determined by the Administrator and the Director of the Minority Business Development Agency, respectively. The Director, the Administrator, and the Secretary of Commerce shall, to the degree practicable, promote the annual cybersecurity report through relevant resources that are intended for or known to be regularly used by small entities, including agency documents, websites, and events. The Director, the Administrator, and the Director of the Minority Business Development Agency shall make available to employees of small entities voluntary training and technical assistance on how to implement the recommendations of the annual cybersecurity report. . The table of contents in section 1(b) of the Homeland Security Act of 2002 (Public 107–296; 116 Stat. 2135) is amended by inserting after the item relating to section 2220C the following: Sec. 2220D. Annual cybersecurity report for small entities. . Not later than 1 year after the date of enactment of this Act, and annually thereafter for 10 years, the Secretary shall submit to Congress a report describing methods to improve the cybersecurity of small entities, including through the adoption of policies, controls, and classes of products and services that have been demonstrated to reduce cybersecurity risk. The report required under paragraph
(1)shall— identify barriers or challenges for small entities in purchasing or acquiring classes of products and services that promote the cybersecurity of small entities; assess market availability, market pricing, and affordability of classes of products and services that promote the cybersecurity of small entities, with particular attention to identifying high-risk and underserved sectors or regions; estimate the costs and benefits of policies that promote the cybersecurity of small entities, including— tax breaks; grants and subsidies; and other incentives as determined appropriate by the Secretary; describe evidence-based cybersecurity controls and policies that improve the cybersecurity of small entities; with respect to the incentives described in subparagraph (C), recommend measures that can effectively improve cybersecurity at scale for small entities; and include any other matters as the Secretary determines relevant. In preparing the report required under paragraph (1), the Secretary may include matters applicable for specific sectors of small entities in addition to matters applicable to all small entities. In preparing the report required under paragraph (1), the Secretary shall consult with— the Administrator, the Director of CISA, and the Commission; and small entities, insurers of risks related to cybersecurity, State governments, cybersecurity and information technology companies that work with small entities, and academic and Federal and non-Federal experts in cybersecurity. Nothing in this section or the amendments made by this section shall be construed to provide any additional regulatory authority to CISA.
Connectionstraces to 3
Traces to 3 documents
U.S. Code
public-private-law
1 reference not yet in our index
- 116 Stat. 2135
Citation graph
cites case law
Sec. 50107
Improving cybersecurity of small entities
Stat.116 Stat. 2135
Cites 4Cited by 0 across 0 sources