NSBA Testifies on Cyber Crime
March 14, 2019
On March 13,
the Senate Committee on Small Business and Entrepreneurship held a hearing
entitled: “Cyber Crime: An Existential Threat to Small Business. NSBA
Leadership Council and the Small Business Technology Council (SBTC) member,
Karen Harper, President and Principal Scientist at Charles River Analytics,
Inc., a small business headquartered in Cambridge, Massachusetts was among the
witnesses testifying at the hearing.
Charles River Analytics has been delivering intelligent systems that transform
our customers’ data into mission-relevant tools and solutions to support
critical assessment and decision-making. Charles River continues to grow its
technology, customer base, and strategic alliances through research and
development programs for the DOD, DHS, NASA, and the Intelligence Community.
Her company addresses a broad spectrum of mission areas and functional domains,
including sensor and image processing, situation assessment and decision
aiding, human systems integration, cyber security, human-robot interaction, and
robot localization and automation.
businesses face unique challenges and vulnerabilities when it comes to digital
security. Business owners rely on information technology more than ever, yet
the very tools that make small businesses competitive have also put them in the
crosshairs of cyber attackers. The security of our online data and finances is
a huge concern for America’s small businesses.
Early indicators from a forthcoming NSBA survey show that
62 percent of small-businesses owners are very concerned that their business
could be vulnerable to a cyber-attack. That same data suggests that more than
one-in-three have been the victim of a cyber-attack. The most common type of
cyber-attack, according to NSBA’s data, caused a service interruption or
information falsely sent out under the businesses name. The time it takes to
resolve these issues is significant as well, with one-in-four saying it took
them more than 3 days to find a resolution.
Ms. Harper’s testimony focused on the challenges small businesses face with the adoption of the National Institute of Standards and Technology (NIST) Special Publication 800-171 requirements to protect Controlled Unclassified Information (CUI) in non-federal IT systems. She states, “While small-business leaders such as myself, understand the intentions of the NIST SP 800-171 standard to protect the cyber vulnerabilities we all face, compliance with NIST SP 800-171 is extremely costly and overly burdensome, particularly for small businesses. The publication includes 110 IT control requirements, many of which require highly complex solutions. As a result, many contractors are still grappling with the complexities of NIST SP 800-171, as well as other aspects of DFARS, such as what actually constitutes “Controlled Unclassified Information (CUI)” under the clause.”
challenge, expense, and business impacts of Charles River’s NIST compliance
program, her testimony included recommendation for improving the NIST SP
800-171 for small defense contracting businesses across three areas. Her
testimony includes the following:
require clarity in the definition and
management of Confidential Unclassified Information (CUI), both provided by our
DOD customer base, but also information generated by our company in the course
of business execution. Second, we require flexibility
in the application of the defined NIST controls. IT requirements across
industries and companies varies widely, and the implementation of
NIST-compliant controls should reflect this diversity in IT system needs.
Finally, we require clear guidance to
support the nation’s small businesses in the defense sector to comply properly.
This guidance must be delivered in easily accessible implementation
guides—using plain language—that target the range of IT challenges faced across
Click here to view Karen Harper’s testimony.