Ranking Member Johnson’s Opening Statement for NIST Small Business Cybersecurity Markup
(Washington, DC) – Today, the House Committee on Science, Space, and Technology is marking up H.R. 2105, the “NIST Small Business Cybersecurity Act of 2017.”
Ranking Member Eddie Bernice Johnson (D-TX), opening statement for the record is below.
Thank you Mr. Chairman. H.R. 2105, the NIST Small Business Cybersecurity Act of 2017, addresses a significant need to provide more guidance, resources, and tools to small businesses to secure their information systems and protect the personal information of their customers. According to the Small Business Administration, the 28 million small businesses in America account for 54 percent of all U.S. sales. Small businesses provide 55 percent of all jobs and 66 percent of all net new jobs since the 1970s. Small businesses play a central role in our economy. Unfortunately, the information systems and networks of small businesses are especially vulnerable. Small businesses rarely have trained cybersecurity employees and often do not prioritize cybersecurity or have the resources to do so.
The National Institute of Standards and Technology, or NIST, has been a leader in developing standards and guidelines for cybersecurity in the public and private sectors before the word cybersecurity was even part of our policy vocabulary. In 2009, NIST developed a guidance document called, Small Business Information Security: The Fundamentals. The document was the result of an interagency effort and was designed to present the fundamentals of an effective small business information security program in non-technical language.
In 2014, in response to an Executive Order from President Obama, NIST published the Cybersecurity Framework for Critical Infrastructure, which we have discussed extensively in this Committee. The Cybersecurity Framework is most useful for larger businesses with at least some information technology expertise. Therefore, in November 2016, NIST published an update of their small business guidance document, using the Framework as a template.
In addition to this guidance, NIST assists small businesses directly through their work at the Cybersecurity Center for Excellence in Gaithersburg, Maryland. Furthermore, under the National Initiative for Cybersecurity Education, NIST leads an activity they call the “Small Business Corner.” In collaboration with the Small Business Administration and the FBI, they conduct training meetings on computer security for small businesses.
H.R. 2105 is consistent with all of these ongoing activities at NIST and with the agency’s mission. Ideally, H.R. 2105 would also provide resources for NIST to expand these activities, because the need is clear. Unfortunately, the Majority has once again brought up a bill directing the agency to do more with less. If this just happened occasionally, it might not be a problem. Every agency should periodically assess their programs and identify opportunities to reprioritize funding and implement new efficiencies. However, with respect to NIST in particular, the Majority has piled on one significant new responsibility after another, without providing additional funding. And now, based on the FY 2018 Budget Blueprint, we anticipate damaging cuts to NIST from the Trump Administration.
I am pleased that we can agree on a bipartisan basis that NIST is an important agency that does excellent work across many areas with a relatively small budget. I just wish we could also agree that money does not grow on the trees at the NIST campus. We must be prepared to pay for what we value, or we will simply not accomplish the laudable goals of this legislation or any other activities we deem to be priorities.
Mr. Chairman, I support H.R. 2105, and I thank the sponsors, including Mr. Webster, Mr. Lipinski, and Ms. Rosen, for their strong support for small businesses and NIST’s important role in cybersecurity. However, I am concerned that the House bill contains an explicit unfunded mandate clause and that the Senate version is silent on funding. I hope that if we have the opportunity to negotiate a conference agreement, both bodies will see fit to provide NIST with adequate resources to fulfill the mandates in this legislation.
With that I yield back.