NIST CSF Goes Mainstream: NIST Small Business Cybersecurity Act Passes

NIST Cybersecurity Framework NIST Small Business Cybersecurity Act

When Rsam asked more than five hundred security professionals from large enterprises if they planned to incorporate the NIST Cybersecurity Framework into their risk and compliance strategy, a whopping 87% said yes. This is encouraging news for security minded folks and it seems like the enthusiasm for creating a common cybersecurity language is about to cast a wider net.

Last week the NIST Small Business Cybersecurity Act, S. 770 was signed into law. This bill, previously called the Main Street Cybersecurity Act is a bi-partisan effort authored by U.S. Senators James Risch (R-Idaho) and Brian Schatz (D-Hawaii). This new law instructs the National Institute of Standards and Technology (NIST) to make available resources for small businesses to assist them in implementing the NIST CSF. The new bill also instructs NIST to take into account smaller enterprises when developing further releases of the NIST CSF. Today the NIST CSF is not a mandate, but businesses are encouraged to voluntarily adapt the framework. 

Why the NIST Small Business Cybersecurity Act is Important for all Businesses

“Having small businesses participate and adopt the NIST CSF is critical for the success of all business. We see by the updates in NIST CSF 1.1 that there is significantly more guidance, controls and NIST sub-categories around 3rd party risk management. This is because a large organization is only as cyberstrong as their weakest link. The inclusion of Cyber Security Supply Risk Management was a sign that a true cybersecurity plan needs to include Main Street and not just Wall Street.” said Nikolay Filipets, Rsam’s GRC Product Manager.

Often times small organizations don’t have the risk maturity of large enterprises, but there are things that they can do today to help them on the path. The white paper “How to Implement NIST CSF: 4 Step Journey to Cybersecurity Maturity”, provides simple recommendations that businesses can take beginning with their current risk register to provide and aggregate risk across all CSF categories. With the foundation established, small businesses can then set different thresholds across categories and speak to risk in terms that their larger business partners understand.

To read more about maturing your NIST Cybersecurity Framework program, download the full white paper.