NIST Releases Latest Draft of "Small Business Cybersecurity: Non-Employer Firms"

Summary

NIST has released a new public draft of Small Business Cybersecurity: Non-Employer Firms. The public comment period is open through May 14, 2026. See the publication details for a copy of the draft and a template for submitting comments.

Details

According to the U.S. Small Business Administration Office of Advocacy, there are 34.8 million small businesses in the United States. Of those, 81.9% have no paid employees other than the owner or owners—termed “non-employer firms.” These include sole proprietors, freelancers, single-member limited liability companies (LLCs), independent contractors, gig economy workers, and others. This publication helps small firms with no employees and with minimal IT complexity use the NIST Cybersecurity Framework 2.0 to manage their cybersecurity risks. To make this information applicable to a broader audience, cybersecurity risk management considerations are included for businesses as they grow and hire employees—acknowledging that some non-employer firms may never hire additional employees. Many small businesses rely upon consultants, who are also a key audience for this report. While the guide is developed for a U.S. audience, it is recognized that many small businesses engage in international commerce or collaborations, and this document can be adapted to support the cybersecurity risk management of those efforts. 

Cybersecurity White Paper (CSWP) 50 was initially published in 2009 as NIST IR 7621, Small Business Information Security: The Fundamentals. The publication underwent an initial revision in 2016 (NIST IR 7621, Rev.1). A pre-draft call for comments was issued in 2024, followed by an initial public draft and comment period on NIST IR 7621, Rev. 2. During the revision process, the publication was converted to CSWP 50, Small Business Cybersecurity: Non-Employer Firms.

Key Updates within CSWP 50:

• This revision has a narrowed scope. Previous versions of this publication discussed the broader topic of information security; this revised publication is now focused specifically on cybersecurity, which is a subset of information security.
• Based on community input, the audience was narrowed. Prior versions focused on “small business,” which is a very broad and diverse population. This revision is tailored to a more specific population—non-employer firms with minimal information technology (IT) complexity.
• Three notional use-cases were developed and added to the appendices.  
• This revision changes in technology and recent updates to NIST publications, including the Cybersecurity Framework (CSF) 2.0 and the NIST IR 8286 series.
• The layout has been updated to present the information in a tabular format to enhance readability.