[Senate Report 115-153] [From the U.S. Government Publishing Office] Calendar No. 217 _______________________________________________________________________ 115th Congress } { Report SENATE 1st Session } { 115-153 _______________________________________________________________________ MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017 __________ R E P O R T of the COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION on S. 770 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 11, 2017.--Ordered to be printed ________ U.S. GOVERNMENT PUBLISHING OFFICE 69-019 WASHINGTON: 2017 SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION one hundred fifteenth congress first session JOHN THUNE, South Dakota, Chairman ROGER F. WICKER, Mississippi BILL NELSON, Florida ROY BLUNT, Missouri MARIA CANTWELL, Washington TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii DAN SULLIVAN, Alaska EDWARD J. MARKEY, Massachusetts DEAN HELLER, Nevada CORY A. BOOKER, New Jersey JAMES M. INHOFE, Oklahoma TOM UDALL, New Mexico MIKE LEE, Utah GARY C. PETERS, Michigan RON JOHNSON, Wisconsin TAMMY BALDWIN, Wisconsin SHELLEY MOORE CAPITO, West TAMMY DUCKWORTH, Illinois Virginia CORY GARDNER, Colorado MARGARETWOODHASSAN,NewHampshire TODD C. YOUNG, Indiana CATHERINE CORTEZ MASTO, Nevada Nick Rossi, Staff Director Adrian Arnakis, Deputy Staff Director Jason Van Beek, General Counsel Kim Lipsky, Democratic Staff Director Christopher Day, Democratic Deputy Staff Director Calendar No. 217 115th Congress } { Report SENATE 1st Session } { 115-153 ====================================================================== MAKING AVAILABLE INFORMATION NOW TO STRENGTHEN TRUST AND RESILIENCE AND ENHANCE ENTERPRISE TECHNOLOGY CYBERSECURITY ACT OF 2017 _______ September 11, 2017.--Ordered to be printed _______ Mr. Thune, from the Committee on Commerce, Science, and Transportation, submitted the following R E P O R T [To accompany S. 770] [Including cost estimate of the Congressional Budget Office] The Committee on Commerce, Science, and Transportation, to which was referred the bill (S. 770) to require the Director of the National Institute of Standards and Technology to disseminate resources to help reduce small business cybersecurity risks, and for other purposes, having considered the same, reports favorably thereon with an amendment (in the nature of a substitute) and recommends that the bill (as amended) do pass. Purpose of the Bill S. 770, the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017 or MAIN STREET Cybersecurity Act of 2017, will improve cybersecurity resources for small businesses. The Act would require the Director of the National Institute of Standards and Technology (NIST Director), under the Department of Commerce, to consider small business concerns and disseminate resources to help small businesses reduce cyber risks by using voluntary risk management security measures as articulated in the public-private initiative, the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework). Background and Needs According to the Small Business Administration (SBA), small businesses make up more than half of the jobs in the United States,\1\ and they also are a major target for cyber attacks. In the last 5 years, security vendor Symantec Corporation has observed a steady increase in attacks targeting businesses with fewer than 250 employees, with 43 percent of all attacks in 2015 targeted at small businesses.\2\ On December 18, 2014, President Obama signed into law the Cybersecurity Enhancement Act of 2014 (Act of 2014) (15 U.S.C. 7421 et seq.), which then-Committee Chairman Rockefeller and Ranking Member Thune co-authored. That Act amended the NIST Act (15 U.S.C. 271 et seq.) to authorize the NIST Director to work in collaboration with industry on a set of voluntary, consensus-based, and industry-led standards and procedures to reduce cyber risks to critical infrastructure, codifying the process that develops the Cybersecurity Framework.\3\ The Cybersecurity Framework is flexible and scalable so that all companies may use it at all organizational levels. Nevertheless, some small companies may need additional resources to make better use of the expansive framework. In addition, several Federal agencies, including the Federal Trade Commission, Department of Homeland Security, and SBA, have issued cybersecurity tips for small businesses that are not coordinated with the Cybersecurity Framework, though they often lay out similar principles. --------------------------------------------------------------------------- \1\Small Business Administration, ``Small Business Trends,'' at https://www.sba.gov/managing-business/running-business/energy- efficiency/sustainable-business-practices/small-business-trends. \2\Symantec, ``Internet Security Threat Report,'' Volume 21, April 2016, at https://www.symantec.com/content/dam/symantec/docs/reports/ istr-21-2016-en.pdf. \3\National Institute for Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014, at https://www.nist.gov/sites/default/files/documents/cyberframework/ cybersecurity-framework-021214.pdf. --------------------------------------------------------------------------- Summary of Provisions S. 770, as amended in Committee, would incorporate NIST consideration of small business concerns into the existing voluntary industry-led process for the Cybersecurity Framework authorized in the Act of 2014. The bill also would direct NIST, in consultation with other relevant agencies, such as the agencies named above, to develop concise, voluntary cybersecurity resources for small businesses in carrying out the Cybersecurity Framework. In addition, the bill would direct other Federal agencies to harmonize, to the extent possible, future cybersecurity resources for small businesses with the resources NIST provides. Legislative History On March 29, 2017, Senator Schatz introduced S. 770 with Senators Risch, Thune, Cantwell, Nelson, Gardner, and Cortez Masto as co-sponsors. On April 5, 2017, in an open Executive Session, the Committee considered the bill as modified by a first degree amendment offered by Senator Schatz to improve the bill. The amendment made minor changes to clarify that the resources should apply to a wide range of small businesses and include elements to promote awareness of a workplace cybersecurity culture and third party stakeholder relationships. The Committee, by voice vote, unanimously ordered S. 770 to be reported favorably with an amendment (in the nature of a substitute). Estimated Costs In accordance with paragraph 11(a) of rule XXVI of the Standing Rules of the Senate and section 403 of the Congressional Budget Act of 1974, the Committee provides the following cost estimate, prepared by the Congressional Budget Office: S. 770--MAIN STREET Cybersecurity Act of 2017 S. 770 would direct the National Institute of Standards and Technology (NIST) to provide resources to small businesses to help them reduce their cybersecurity risks. Under the bill, NIST would be required to provide and update tools, methodologies, guidelines, and other resources to small business to use on a voluntary basis. Based on an analysis of information from NIST, CBO estimates that implementing S. 770 would cost $6 million over the 2018-2022 period, including $2 million in 2018 for NIST to consult with several federal agencies and develop such resources and an additional $4 million over the 2019-2022 period to update those resources; such spending would be subject to the availability of appropriated funds. Enacting S. 770 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 770 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028. S. 770 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments. The CBO staff contact for this estimate is Stephen Rabent. The estimate was approved by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. Regulatory Impact Statement In accordance with paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee provides the following evaluation of the regulatory impact of the legislation, as reported: number of persons covered S. 770, as reported, would develop consistent resources that are fully voluntary for a small business to use. As such, the bill would not create any new programs or impose any new regulatory requirements, and therefore would not subject any individuals or businesses to new regulations. economic impact S. 770 is not expected to have an adverse impact on the Nation's economy. privacy S. 770 is not expected to have an adverse impact on the personal privacy of individuals. paperwork S. 770 would not increase paperwork requirements for private individuals or businesses. S. 770 would require the NIST Director to develop and disseminate resources for small businesses to reduce cybersecurity risks. Congressionally Directed Spending In compliance with paragraph 4(b) of rule XLIV of the Standing Rules of the Senate, the Committee provides that no provisions contained in the bill, as reported, meet the definition of congressionally directed spending items under the rule. Section-by-Section Analysis Section 1. Short title This section would establish the bill's short title as the ``Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017'' or the ``MAIN STREET Cybersecurity Act of 2017.'' Section 2. Findings This section would present a number of congressional findings. It would find that small businesses are critical to the U.S. economy, accounting for 54 percent of all domestic sales and 55 percent of domestic jobs. This section also would find that small and midsized businesses are major targets for cyberattacks. Additionally, this section would note that the industry-led process authorized by the Act of 2014 continues to play a key role in improving the cyber resilience of the United States. Finally, the section would find that there is a need to develop simplified resources for small businesses that are consistent with the Cybersecurity Framework in order to increase its use. Section 3. Improving cybersecurity of small businesses This section would define a number of terms used in the Act. It would amend the NIST Act to ensure the NIST Director considers small business concerns in carrying out the public- private partnership to develop the Cybersecurity Framework authorized in the Act of 2014. This section would further require that not later than 1 year after the date of enactment of this Act, the NIST Director, in consultation with the heads of other Federal agencies, as the NIST Director considers appropriate, provide clear and concise voluntary resources, such as tips, tools, guidelines, and other ways of providing information, to small businesses to reduce cybersecurity risks. The section would require that NIST ensures that the resources are generally applicable and usable by a wide range of small businesses. In addition, it would require that these resources vary relative to the nature and size of the small business concern and the sensitivity of the data collected or stored. It would further require the resources be technology- neutral, based on international standards to the extent possible, and consistent with the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3701 et seq.), which seeks to foster government-industry cooperation. The resources also would include elements that promote awareness of basic controls, a workplace cybersecurity culture, and third party stakeholder relationships. The section also would require NIST to ensure the resources are consistent with the efforts of the National Cybersecurity Awareness and Education Program, otherwise referred to as the NIST National Initiative for Cybersecurity Education, authorized in the Act of 2014. This section also would require NIST to consider any methods included in the Small Business Development Center Cyber Strategy established in the National Defense Authorization Act for Fiscal Year 2017 (Pub. L. 114-328, 130 Stat. 2000). NIST and such heads of other Federal agencies as the NIST Director considers appropriate would be required to make information on the resources prominently available online in a consistent, clear, and concise manner. Federal agencies publishing additional resources to help small businesses reduce cybersecurity risk after the date of enactment also would be required, to the extent practicable, to make these resources consistent with the resources that NIST provides. The Committee finds that the public-private partnership to develop the Cybersecurity Framework has been widely lauded. Industry and government have successfully collaborated on voluntarily addressing and managing cybersecurity risks without placing regulatory requirements on businesses. NIST also recognizes in the Cybersecurity Framework that organizations may have unique risks and the use of the framework will vary. As such, the Committee expects NIST to continue its collaboration with industry in carrying out this Act. Further, the resources developed under this Act should be viewed as voluntary and, thus, would not place additional regulatory requirements on businesses. These resources also are intended to be technology-neutral, consistent with the direction for the process to develop the Cybersecurity Framework. The Committee finds that the principle of tech- neutrality ensures that stakeholders take into account rapid advances and changes in technology. The Committee recognizes that the U.S. technology sector continues to innovate and produce emerging cybersecurity technologies and processes for the marketplace that benefit consumers, small businesses, and the Federal Government. The Committee encourages NIST to consider, in its dissemination of resources, a diverse array of cybersecurity technologies and processes, including the following: multi-factor authentication; data loss prevention; network segmentation; cloud services; data encryption; least privileged architecture; anonymization; software patching and maintenance; and other cybersecurity measures. Changes in Existing Law In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by the bill, as reported, are shown as follows (existing law proposed to be omitted is enclosed in black brackets, new material is printed in italic, existing law in which no change is proposed is shown in roman): NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY ACT [31 Stat. 1449] SEC. 272. ESTABLISHMENT, FUNCTIONS, AND ACTIVITIES. [15 U.S.C. 272] * * * * * * * (e) Cyber Risks.-- (1) In general.--In carrying out the activities under subsection (c)(15), the Director-- (A) shall-- (i) coordinate closely and regularly with relevant private sector personnel and entities, critical infrastructure owners and operators, and other relevant industry organizations, including Sector Coordinating Councils and Information Sharing and Analysis Centers, and incorporate industry expertise; (ii) consult with the heads of agencies with national security responsibilities, sector-specific agencies and other appropriate agencies, State and local governments, the governments of other nations, and international organizations; (iii) identify a prioritized, flexible, repeatable, performance- based, and cost-effective approach, including information security measures and controls, that may be voluntarily adopted by owners and operators of critical infrastructure to help them identify, assess, and manage cyber risks; (iv) include methodologies-- (I) to identify and mitigate impacts of the cybersecurity measures or controls on business confidentiality; and (II) to protect individual privacy and civil liberties; (v) incorporate voluntary consensus standards and industry best practices; (vi) align with voluntary international standards to the fullest extent possible; (vii) prevent duplication of regulatory processes and prevent conflict with or superseding of regulatory requirements, mandatory standards, and related processes; [and] (viii) consider small business concerns (as defined in section 3 of the Small Business Act (15 U.S.C. 632)); and [(viii)](ix) include such other similar and consistent elements as the Director considers necessary; and (B) shall not prescribe or otherwise require-- (i) the use of specific solutions; (ii) the use of specific information or communications technology products or services; or (iii) that information or communications technology products or services be designed, developed, or manufactured in a particular manner. (2) Limitation.--Information shared with or provided to the Institute for the purpose of the activities described under subsection (c)(15) shall not be used by any Federal, State, tribal, or local department or agency to regulate the activity of any entity. Nothing in this paragraph shall be construed to modify any regulatory requirement to report or submit information to a Federal, State, tribal, or local department or agency. (3) Definitions.--In this subsection: (A) Critical infrastructure.--The term ``critical infrastructure'' has the meaning given the term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)). (B) Sector-specific agency.--The term ``sector-specific agency'' means the Federal department or agency responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all- hazards environment.