[Senate Report 115-153]
[From the U.S. Government Publishing Office]
Calendar No. 217
_______________________________________________________________________
115th Congress } { Report
SENATE
1st Session } { 115-153
_______________________________________________________________________
MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND
ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017
__________
R E P O R T
of the
COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
on
S. 770
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
September 11, 2017.--Ordered to be printed
________
U.S. GOVERNMENT PUBLISHING OFFICE
69-019 WASHINGTON: 2017
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred fifteenth congress
first session
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida
ROY BLUNT, Missouri MARIA CANTWELL, Washington
TED CRUZ, Texas AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska EDWARD J. MARKEY, Massachusetts
DEAN HELLER, Nevada CORY A. BOOKER, New Jersey
JAMES M. INHOFE, Oklahoma TOM UDALL, New Mexico
MIKE LEE, Utah GARY C. PETERS, Michigan
RON JOHNSON, Wisconsin TAMMY BALDWIN, Wisconsin
SHELLEY MOORE CAPITO, West TAMMY DUCKWORTH, Illinois
Virginia
CORY GARDNER, Colorado MARGARETWOODHASSAN,NewHampshire
TODD C. YOUNG, Indiana CATHERINE CORTEZ MASTO, Nevada
Nick Rossi, Staff Director
Adrian Arnakis, Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Christopher Day, Democratic Deputy Staff Director
Calendar No. 217
115th Congress } { Report
SENATE
1st Session } { 115-153
======================================================================
MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND
ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017
_______
September 11, 2017.--Ordered to be printed
_______
Mr. Thune, from the Committee on Commerce, Science, and Transportation,
submitted the following
R E P O R T
[To accompany S. 770]
[Including cost estimate of the Congressional Budget Office]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 770) to require the Director of
the National Institute of Standards and Technology to
disseminate resources to help reduce small business
cybersecurity risks, and for other purposes, having considered
the same, reports favorably thereon with an amendment (in the
nature of a substitute) and recommends that the bill (as
amended) do pass.
Purpose of the Bill
S. 770, the Making Available Information Now to Strengthen
Trust and Resilience and Enhance Enterprise Technology
Cybersecurity Act of 2017 or MAIN STREET Cybersecurity Act of
2017, will improve cybersecurity resources for small
businesses. The Act would require the Director of the National
Institute of Standards and Technology (NIST Director), under
the Department of Commerce, to consider small business concerns
and disseminate resources to help small businesses reduce cyber
risks by using voluntary risk management security measures as
articulated in the public-private initiative, the Framework for
Improving Critical Infrastructure Cybersecurity (Cybersecurity
Framework).
Background and Needs
According to the Small Business Administration (SBA), small
businesses make up more than half of the jobs in the United
States,\1\ and they also are a major target for cyber attacks.
In the last 5 years, security vendor Symantec Corporation has
observed a steady increase in attacks targeting businesses with
fewer than 250 employees, with 43 percent of all attacks in
2015 targeted at small businesses.\2\
On December 18, 2014, President Obama signed into law the
Cybersecurity Enhancement Act of 2014 (Act of 2014) (15 U.S.C.
7421 et seq.), which then-Committee Chairman Rockefeller and
Ranking Member Thune co-authored. That Act amended the NIST Act
(15 U.S.C. 271 et seq.) to authorize the NIST Director to work
in collaboration with industry on a set of voluntary,
consensus-based, and industry-led standards and procedures to
reduce cyber risks to critical infrastructure, codifying the
process that develops the Cybersecurity Framework.\3\ The
Cybersecurity Framework is flexible and scalable so that all
companies may use it at all organizational levels.
Nevertheless, some small companies may need additional
resources to make better use of the expansive framework. In
addition, several Federal agencies, including the Federal Trade
Commission, Department of Homeland Security, and SBA, have
issued cybersecurity tips for small businesses that are not
coordinated with the Cybersecurity Framework, though they often
lay out similar principles.
---------------------------------------------------------------------------
\1\Small Business Administration, ``Small Business Trends,'' at
https://www.sba.gov/managing-business/running-business/energy-
efficiency/sustainable-business-practices/small-business-trends.
\2\Symantec, ``Internet Security Threat Report,'' Volume 21, April
2016, at https://www.symantec.com/content/dam/symantec/docs/reports/
istr-21-2016-en.pdf.
\3\National Institute for Standards and Technology, Framework for
Improving Critical Infrastructure Cybersecurity, February 12, 2014, at
https://www.nist.gov/sites/default/files/documents/cyberframework/
cybersecurity-framework-021214.pdf.
---------------------------------------------------------------------------
Summary of Provisions
S. 770, as amended in Committee, would incorporate NIST
consideration of small business concerns into the existing
voluntary industry-led process for the Cybersecurity Framework
authorized in the Act of 2014. The bill also would direct NIST,
in consultation with other relevant agencies, such as the
agencies named above, to develop concise, voluntary
cybersecurity resources for small businesses in carrying out
the Cybersecurity Framework. In addition, the bill would direct
other Federal agencies to harmonize, to the extent possible,
future cybersecurity resources for small businesses with the
resources NIST provides.
Legislative History
On March 29, 2017, Senator Schatz introduced S. 770 with
Senators Risch, Thune, Cantwell, Nelson, Gardner, and Cortez
Masto as co-sponsors. On April 5, 2017, in an open Executive
Session, the Committee considered the bill as modified by a
first degree amendment offered by Senator Schatz to improve the
bill. The amendment made minor changes to clarify that the
resources should apply to a wide range of small businesses and
include elements to promote awareness of a workplace
cybersecurity culture and third party stakeholder
relationships. The Committee, by voice vote, unanimously
ordered S. 770 to be reported favorably with an amendment (in
the nature of a substitute).
Estimated Costs
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
S. 770--MAIN STREET Cybersecurity Act of 2017
S. 770 would direct the National Institute of Standards and
Technology (NIST) to provide resources to small businesses to
help them reduce their cybersecurity risks. Under the bill,
NIST would be required to provide and update tools,
methodologies, guidelines, and other resources to small
business to use on a voluntary basis. Based on an analysis of
information from NIST, CBO estimates that implementing S. 770
would cost $6 million over the 2018-2022 period, including $2
million in 2018 for NIST to consult with several federal
agencies and develop such resources and an additional $4
million over the 2019-2022 period to update those resources;
such spending would be subject to the availability of
appropriated funds.
Enacting S. 770 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply. CBO
estimates that enacting S. 770 would not increase net direct
spending or on-budget deficits in any of the four consecutive
10-year periods beginning in 2028.
S. 770 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act and
would not affect the budgets of state, local, or tribal
governments.
The CBO staff contact for this estimate is Stephen Rabent.
The estimate was approved by H. Samuel Papenfuss, Deputy
Assistant Director for Budget Analysis.
Regulatory Impact Statement
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
number of persons covered
S. 770, as reported, would develop consistent resources
that are fully voluntary for a small business to use. As such,
the bill would not create any new programs or impose any new
regulatory requirements, and therefore would not subject any
individuals or businesses to new regulations.
economic impact
S. 770 is not expected to have an adverse impact on the
Nation's economy.
privacy
S. 770 is not expected to have an adverse impact on the
personal privacy of individuals.
paperwork
S. 770 would not increase paperwork requirements for
private individuals or businesses. S. 770 would require the
NIST Director to develop and disseminate resources for small
businesses to reduce cybersecurity risks.
Congressionally Directed Spending
In compliance with paragraph 4(b) of rule XLIV of the
Standing Rules of the Senate, the Committee provides that no
provisions contained in the bill, as reported, meet the
definition of congressionally directed spending items under the
rule.
Section-by-Section Analysis
Section 1. Short title
This section would establish the bill's short title as the
``Making Available Information Now to Strengthen Trust and
Resilience and Enhance Enterprise Technology Cybersecurity Act
of 2017'' or the ``MAIN STREET Cybersecurity Act of 2017.''
Section 2. Findings
This section would present a number of congressional
findings. It would find that small businesses are critical to
the U.S. economy, accounting for 54 percent of all domestic
sales and 55 percent of domestic jobs. This section also would
find that small and midsized businesses are major targets for
cyberattacks. Additionally, this section would note that the
industry-led process authorized by the Act of 2014 continues to
play a key role in improving the cyber resilience of the United
States. Finally, the section would find that there is a need to
develop simplified resources for small businesses that are
consistent with the Cybersecurity Framework in order to
increase its use.
Section 3. Improving cybersecurity of small businesses
This section would define a number of terms used in the
Act. It would amend the NIST Act to ensure the NIST Director
considers small business concerns in carrying out the public-
private partnership to develop the Cybersecurity Framework
authorized in the Act of 2014.
This section would further require that not later than 1
year after the date of enactment of this Act, the NIST
Director, in consultation with the heads of other Federal
agencies, as the NIST Director considers appropriate, provide
clear and concise voluntary resources, such as tips, tools,
guidelines, and other ways of providing information, to small
businesses to reduce cybersecurity risks. The section would
require that NIST ensures that the resources are generally
applicable and usable by a wide range of small businesses. In
addition, it would require that these resources vary relative
to the nature and size of the small business concern and the
sensitivity of the data collected or stored.
It would further require the resources be technology-
neutral, based on international standards to the extent
possible, and consistent with the Stevenson-Wydler Technology
Innovation Act of 1980 (15 U.S.C. 3701 et seq.), which seeks to
foster government-industry cooperation. The resources also
would include elements that promote awareness of basic
controls, a workplace cybersecurity culture, and third party
stakeholder relationships. The section also would require NIST
to ensure the resources are consistent with the efforts of the
National Cybersecurity Awareness and Education Program,
otherwise referred to as the NIST National Initiative for
Cybersecurity Education, authorized in the Act of 2014. This
section also would require NIST to consider any methods
included in the Small Business Development Center Cyber
Strategy established in the National Defense Authorization Act
for Fiscal Year 2017 (Pub. L. 114-328, 130 Stat. 2000).
NIST and such heads of other Federal agencies as the NIST
Director considers appropriate would be required to make
information on the resources prominently available online in a
consistent, clear, and concise manner. Federal agencies
publishing additional resources to help small businesses reduce
cybersecurity risk after the date of enactment also would be
required, to the extent practicable, to make these resources
consistent with the resources that NIST provides.
The Committee finds that the public-private partnership to
develop the Cybersecurity Framework has been widely lauded.
Industry and government have successfully collaborated on
voluntarily addressing and managing cybersecurity risks without
placing regulatory requirements on businesses. NIST also
recognizes in the Cybersecurity Framework that organizations
may have unique risks and the use of the framework will vary.
As such, the Committee expects NIST to continue its
collaboration with industry in carrying out this Act.
Further, the resources developed under this Act should be
viewed as voluntary and, thus, would not place additional
regulatory requirements on businesses. These resources also are
intended to be technology-neutral, consistent with the
direction for the process to develop the Cybersecurity
Framework. The Committee finds that the principle of tech-
neutrality ensures that stakeholders take into account rapid
advances and changes in technology. The Committee recognizes
that the U.S. technology sector continues to innovate and
produce emerging cybersecurity technologies and processes for
the marketplace that benefit consumers, small businesses, and
the Federal Government. The Committee encourages NIST to
consider, in its dissemination of resources, a diverse array of
cybersecurity technologies and processes, including the
following: multi-factor authentication; data loss prevention;
network segmentation; cloud services; data encryption; least
privileged architecture; anonymization; software patching and
maintenance; and other cybersecurity measures.
Changes in Existing Law
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, changes in existing law made by
the bill, as reported, are shown as follows (existing law
proposed to be omitted is enclosed in black brackets, new
material is printed in italic, existing law in which no change
is proposed is shown in roman):
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT
[31 Stat. 1449]
SEC. 272. ESTABLISHMENT, FUNCTIONS, AND ACTIVITIES.
[15 U.S.C. 272]
* * * * * * *
(e) Cyber Risks.--
(1) In general.--In carrying out the activities under
subsection (c)(15), the Director--
(A) shall--
(i) coordinate closely and regularly
with relevant private sector personnel
and entities, critical infrastructure
owners and operators, and other
relevant industry organizations,
including Sector Coordinating Councils
and Information Sharing and Analysis
Centers, and incorporate industry
expertise;
(ii) consult with the heads of
agencies with national security
responsibilities, sector-specific
agencies and other appropriate
agencies, State and local governments,
the governments of other nations, and
international organizations;
(iii) identify a prioritized,
flexible, repeatable, performance-
based, and cost-effective approach,
including information security measures
and controls, that may be voluntarily
adopted by owners and operators of
critical infrastructure to help them
identify, assess, and manage cyber
risks;
(iv) include methodologies--
(I) to identify and mitigate
impacts of the cybersecurity
measures or controls on
business confidentiality; and
(II) to protect individual
privacy and civil liberties;
(v) incorporate voluntary consensus
standards and industry best practices;
(vi) align with voluntary
international standards to the fullest
extent possible;
(vii) prevent duplication of
regulatory processes and prevent
conflict with or superseding of
regulatory requirements, mandatory
standards, and related processes; [and]
(viii) consider small business
concerns (as defined in section 3 of
the Small Business Act (15 U.S.C.
632)); and
[(viii)](ix) include such other
similar and consistent elements as the
Director considers necessary; and
(B) shall not prescribe or otherwise
require--
(i) the use of specific solutions;
(ii) the use of specific information
or communications technology products
or services; or
(iii) that information or
communications technology products or
services be designed, developed, or
manufactured in a particular manner.
(2) Limitation.--Information shared with or provided
to the Institute for the purpose of the activities
described under subsection (c)(15) shall not be used by
any Federal, State, tribal, or local department or
agency to regulate the activity of any entity. Nothing
in this paragraph shall be construed to modify any
regulatory requirement to report or submit information
to a Federal, State, tribal, or local department or
agency.
(3) Definitions.--In this subsection:
(A) Critical infrastructure.--The term
``critical infrastructure'' has the meaning
given the term in section 1016(e) of the USA
PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
(B) Sector-specific agency.--The term
``sector-specific agency'' means the Federal
department or agency responsible for providing
institutional knowledge and specialized
expertise as well as leading, facilitating, or
supporting the security and resilience programs
and associated activities of its designated
critical infrastructure sector in the all-
hazards environment.