NIST Releases Cybersecurity Guidance for Non-Employer Small Businesses

Severity: Low (Score: 24.9)

Sources: Csrc.Nist, doi.org

Summary

On April 14, 2026, NIST published a new draft titled 'Small Business Cybersecurity: Non-Employer Firms' aimed at assisting the 34.8 million small businesses in the U.S., particularly the 81.9% classified as non-employer firms. These firms include sole proprietors and freelancers, who often lack dedicated IT resources. The document provides guidance on using the NIST Cybersecurity Framework 2.0 to manage cybersecurity risks effectively. It acknowledges that while many small businesses may never hire employees, they still face cybersecurity challenges. The publication has been revised from earlier versions to focus specifically on cybersecurity, narrowing its audience and scope. Key updates include the addition of use-cases and a more accessible layout. The public comment period for this draft is open until May 14, 2026. Key Points: • NIST's new draft targets non-employer small businesses in the U.S. • 81.9% of U.S. small businesses have no paid employees. • The public comment period for the draft is open until May 14, 2026.

Key Entities

• United States (country)