The National Institute of Standards and Technology has released a new draft guidance to help small businesses strengthen their cybersecurity posture amid increasing threats.
Issued Tuesday, the Small Business Cybersecurity: Non-Employer Firms is tailored to businesses with no paid employees beyond the owner. The document provides critical information to enable non-employer firms, including single-member limited liability companies, sole proprietors, independent contractors and freelancers, to manage cyber risks.
The agency is encouraging the public to review the document and share their feedback by May 14.
Malicious cyber actors are targeting American businesses to steal sensitive data or disrupt operations. At the Potomac Officers Club’s 2026 Cyber Summit on May 21, cyber experts from across government and industry will discuss the evolving cyberthreat landscape and provide recommendations to strengthen the cybersecurity of American systems. The event will also explore new trends in cybersecurity, such as the integration of artificial intelligence to automate defense, and identify strategies for zero trust implementation. Get your tickets today.
What Does the Draft NIST Guidance Cover?
The guidance leverages the NIST Cybersecurity Framework 2.0 to introduce foundational cybersecurity practices in non-technical language, making it accessible to businesses with limited IT expertise or resources.
The publication also outlines common cyberthreats facing small businesses, including phishing and ransomware, and provides steps to mitigate risks, such as enabling multifactor authentication and maintaining secure data backups.
In addition to addressing the immediate cybersecurity needs of small businesses, the document includes considerations for firms adopting more advanced technologies and hiring employees or consultants to scale operations. The guidance, according to NIST, can be adapted to help businesses of varying sizes manage risks.
How Has the NIST Small Business Cybersecurity Guidance Evolved?
The latest draft builds on earlier versions of the publication, which was first released in 2009 as NIST IR 7621: Small Business Information Security: The Fundamentals. It was later updated in 2016, followed by a broader revision process that began with a pre-draft call for comments in 2024.
As part of the latest update, NIST converted the document into Cybersecurity White Paper 50 and narrowed its focus from general information security to cybersecurity. The revision also refines the target audience, shifting from small businesses broadly to non-employer firms with minimal IT complexity.
