While opening a Senate Small Business Committee hearing on cybercrimes against small businesses today, committee Chairman Sen. Marco Rubio, R-Fla., announced his rollout of two pieces of legislation which would aim to create greater accountability at the Small Business Administration (SBA) and to expand small business cybersecurity awareness and training resources.
Rubio co-sponsored the first piece of legislation, the SBA Cyber Awareness Act, with the committee’s Ranking Member Sen. Bed Cardin, D-Md. The measure would direct the SBA to create a cyber strategy and report breaches to Congress.
“The SBA Cyber Awareness Act would require the SBA to develop a cyber strategy and to examine where the components in its IT system are manufactured,” Rubio said. “This bill would also require the SBA to report to this committee about the cyber breaches and threats it faces so that we can give the SBA the tools that it needs to defend itself against future attacks.”
The second piece of legislation, the Small Business Cyber Training Act, was developed with Sen. Jeanne Shaheen, D-N.H., and would mandate small business development centers to have a certain number of certified counselors to explain cybersecurity strategy to entrepreneurs.
“The bill will prepare them, these counselors, to provide vital advice on cyber security to entrepreneurs when it matters most – at the beginning of their business’ lifecycle,” Rubio said.
After Rubio’s opening, witnesses at the hearing underscored that while cybersecurity threats are a growing problem for small businesses, these businesses lack the resources and funds to understand or implement effective cybersecurity plans or management teams.
“With limited resources and budgets, these companies need cybersecurity guidance, solutions, and training that is practical, actionable, and enables them to cost-effectively address and manage their cybersecurity risks,” SBA Chief Information Officer Maria Roat said in her opening statement.
Roat and Charles Romine, Director of the National Institute of Standards and Technology (NIST) Information Technology Laboratory, said that NIST and SBA have made strides to support small businesses in cybersecurity efforts, whether in making NIST’s Cybersecurity Framework available or working with other offices to improve SBA to become more responsive to business technology needs.
However, Charles River Analytics President Karen Harper, who testified on behalf of the National Small Business Association, said her organization – which researches and works with several Federal agencies – found that NIST’s specifications and support for small business cybersecurity could improve.
Charles River Analytics found that NIST’s cybersecurity implementation requirements are vague, and that complying with NIST guidelines to protect controlled unclassified information (CUI) – which Harper said was an equally vague term – in non-federal systems is costly and burdensome to small businesses.
Harper therefore recommended that NIST clearly define CUI and its management, bring flexibility in the application of NIST controls to reflect a diversity in IT system needs, and strengthen clearer language in NIST’s cybersecurity guidelines. Harper emphasized in her opening statement that she supports Rubio’s legislation, saying that his bills can help bring the clarity and resources that small businesses need in implementing better cybersecurity systems and teams.