Small business owners must protect their computer systems and confidential information from destruction, tampering, loss and theft. The National Institute of Standards and Technology (NIST) has written interagency report, NIST IR 7621, on cybersecurity standards for small business. The standard is promoted in partnership with the Small Business Administration (SBA) and the FBI.
As evidence of compliance with this federal agency standard, the small business President, CEO or Chief Security Officer, can sign a sworn statement, or Affidavit of Cybersecurity Compliance. The affidavit is signed before a notary public. The statements must be true and correct, under penalty of perjury.
Annual Cybersecurity Compliance Checkup
NIST 7621 recommends an annual cybersecurity checkup. This may be done by the in-house Chief Security Officer, or by an outside security contractor, knowledgeable in NIST 7621. The security checkup could be completed before the annual meeting, presented at the meeting, and kept in the company records.
A notarized Affidavit of Cybersecurity Compliance provides strong evidence that the business takes cybersecurity seriously, reduces business risk of data destruction, tampering, loss and theft, and may be used to show that reasonable care and a Written Information Security Policy (WISP) are being used to defend against any liability claims of negligent security.
Absolutely Necessary Cybersecurity Actions for Small Business
NIST 7621 includes Section 2, titled Absolutely Necessary Cybersecurity Actions for Small Business, with 11 elements. For full compliance with Section 2, these 11 required elements must all be included in the affidavit.
Section 2 elements include:
completing a risk assessment and annual security review,
installing antivirus, anti-malware and anti-spyware software,
installing a hardware and software firewall,
using strong passwords,
installing software updates promptly,
making backup copies of important files,
controlling physical access to computers,
securing wireless networks,
conducting security training,
requiring user accounts with limited privileges, and
limiting access to a need to know basis.
Highly Recommended Cybersecurity Practices
NIST 7621 includes Section 3, titled Highly Recommended Cybersecurity Practices, with 12 additional elements. Compliance with some or all of these recommended elements shows evidence that the business is taking extra security measures, above and beyond the necessary actions of reasonable care listed in Section 2. Compliance with Section 3 could be included in the same affidavit or in a separate affidavit.
There is not a high cost or time burden to implement the security actions listed in NIST 7621, Section 2. There is a higher burden of time, training, discipline, and cost for Section 3.
The elements of Section 3 include:
not opening email attachments from unknown senders,
not clicking on web links to unknown websites,
using a pop-up blocker in the web browser,
not inserting removable media from an unknown source,
using a secure https browser connection for transactions,
erasing web browser cache, cookies and history,
conducting a background check when hiring employees,
using a standard user account, not an administrator account when online,
not downloading software from unknown websites,
attending training for continuing education in cybersecurity and information security,
secure disposal of old computers, digital media and paper documents,
not disclosing personal or confidential information to an unknown person or online,
creating an annual asset inventory of hardware, software and information, and
using encryption for confidential information, mobile devices and removable media.
A sample form for an Affidavit of Cybersecurity Compliance for Section 2 and Section 3 is included in the resource list below. Links are also included for NIST IR 7621. All employees should read NIST 7621 to become familiar with the requirements and sign a statement agreeing to follow it.
Protect your small business by following basic and advanced cybersecurity standards and best practices in NIST IR 7621.
Please share this blog post with other small business owners.
[This educational article is not to be considered as legal advice or security advice. ]
- Download sample Affidavit of Cybersecurity Compliance NIST IR 7621, Section 2
- Download sample Affidavit of Cybersecurity Compliance NIST IR 7621, Section 3
- Download NIST IR 7621, original release, October 2009
- Download NIST IR 7621, revision 1, draft, December 16, 2014
[Updated 2019-02-17] updated affidavit forms