Small Business Cybersecurity: Non-Employer Firms | Comment on NIST IR 7621 Revision 2

NIST has released the initial public draft of NIST Internal Report (IR) 7621r2 (Revision 2), Small Business Cybersecurity: Non-Employer Firms. 

According to the U.S. Small Business Administration Office of Advocacy, there are 34.8 million small businesses in the United States, comprising 99% of all U.S. businesses. Of those, 81.7% are non-employer firms with no paid employees other than the owners of the business. These businesses, though small in size, are represented in every industry and sector of the economy and contribute significantly to the Nation’s innovation and industrial competitiveness. This publication specifically addresses cybersecurity basics for non-employer firms with no paid employees other than the owners of the business, helping them to use the NIST Cybersecurity Framework 2.0 to begin managing their cybersecurity risks. The actions included within this publication are ones that small businesses can take on their own with limited technical knowledge or with minimal budget to implement. To make these guidelines applicable to a broader audience, cybersecurity risk management considerations are included for businesses as they grow and hire employees, if they decide to do so.

One of the most significant changes to this revision is its narrowed scope. The previous versions of this publication discussed the broader topic of information security. To simplify and focus the content, this revised publication is now focused specifically on cybersecurity, which is a subset of information security. Based on community input, the audience has also been narrowed. Whereas prior versions were focused generally on “small business,” which is a very broad and diverse population, this revision is tailored to a more specific population—non-employer firms. Subsequent publications within this series may address other business populations. Revision 2 of this publication also reflects changes in technology and recent updates to NIST publications, including the Cybersecurity Framework (CSF) 2.0 and the NIST IR 8286 series. Another major update is that the information is presented in tabular format to enhance readability.

The public comment period closes at 11:59 p.m. ET on June 30, 2025. See the publication details for the draft and instructions on submitting comments. We value and welcome your input and look forward to your comments.