I think the comments so far are too harsh. The purpose of this document is to lay out, in plan language, what should be the minimum requirements for a small business in terms of cyber security. If there's no place to start, small business won't even be able to try. Following this document probably also will help with legal liability should the company have an incident. If you followed these steps, you're probably less likely to have liability then if you didn't.

Edit: this is applicable not to a "small business" in general, but a "small non-IT business". For a small IT business, well, this is only partially applicable - only to non-IT roles. If they are developing desktop software, then they need to be able to test its installation and upgrade via the installers, which is then incompatible with the "remove admin privileges from laptops" recommendation.

Or they can run their installers tests in a VM which can be created without admin. And as a bonus the install experience will be more likely to be portable as opposed to silently depending on some forgotten config on the devs own machine.

Most people aren't capable of responding to anything the government does with anything but brain-dead snark. I've been feeling this problem has been getting worse on YC as of late.

While I agree a bit that this particular link might miss the mark a little, this isn't the only SMB relevant material from CISA.

For example, the Cyber Essentials (https://www.cisa.gov/cyber-essentials) and Cyber Essentials Starter Kit (https://www.cisa.gov/sites/default/files/publications/Cyber%...) both seem structured better.

Upfront tells the stakes, a tiny bit of a more holistic view of cybersecurity, then a quick pragmatic checklist things to just do first (backups, MFA, keep up to date with updates/patches), and then diving into the same frameworkey stuff.

Greater federal intervention into SMB cybersecurity beyond this type of material and bulletins is politically challenging, particularly given the foundation of cybersecurity if risk assessment. It'd be incredibly challenging for any federal agency to set true baseline requirements for cybersecurity measures (since that would constitute doing part of the risk assessment for SMBs - and that just screams nanny state).

I dont understand the intended target audience. Who is this for?

Most SMB leaders have enough trouble as it is keeping up with their day to day IT operations. The section at the start of the document is intended for “CEOs”, yet it’s likely impenetrable to that audience on account of the jargon while simultaneously giving advice that’s too high-level/broad to be useful.

Later parts of the document intended for technical leads are too focused on minutiae rather than outlining the overarching goals of their implementation, which loses the intended spirit of the document IMO.

For example, it’s more useful to start by outlining what these controls are trying to achieve. For example, “Ensuring business continuity after a ransomware attack” or “Protecting business assets with strong multi-factor authentication”, as opposed to throwing out specific individual technical controls without a high-level narrative to describe what you’re actually aiming for.

Agreed. Ask any SB owner to list the Top 10 things that keep them up at night and cyber-security wouldn't crack the Top 100.

Uncle Sam's concerns are embarrassing lip service without any significant monies to lend a hand. And Sam wonders why so many have less and less faith in Washington DC.

Almost any SMB owner that isn't concerned about cybersecurity should be. Losing access to your payment terminals, or email, or accounting docs, or production equipment, or any number of other computerized systems would be existential risks for SMBs across the country.

Maybe there's an argument that the government should do a better job systematically eliminating cybersecurity risks the way they do with natural disasters via building codes, but I'm not sure why a monetary handout would help things. Like, your idea of right sized government is half the country filing IT upgrade proposals with the feds?

Did I say they shouldn't be concerned?

After 2 years of Covid "disruption", immediately followed by war and drastic inflation and then predictions of recession, only the naive - and the government - would believe this ranks with SMBs.

> "I'm not sure why a monetary handout would help things." Do you know any SMBs? Ever been one yourself? If the priority is to keep the lights on and make payroll, and they ARE struggling to do that, without support, sec isn't going to get much attention. If a pricey consultant needs to be brought in, how are they going to pay for that? How are they going to make time - and time is money - for that.

"Select and support a 'Security Program Manager.' This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program."

Somewhat contradictory. A "security program manager" can't implement good security if they don't know what it looks like, even if given a checklist.

This reads like the sort of document that the government publishes because it has a fiduciary to protect the vaunted "small business owner," similar to "fraud awareness" campaigns, but is more laying the groundwork to say that they told you so, rather than real protection.

I doubt CISA believes that technical and cybersecurity experience is irrelevant. This is their way to say "put someone in charge of it."

Two reasons for this:

1. The failure mode for most SMB operational risks is "no one was behind the wheel. No one thought it was their responsibility." If someone is clearly identified as responsible, they can set the basic guidelines that most people already know should be done.

2. Once the term "responsible for X" is on the table, it will tend to push the business towards hiring skilled personnel. Precisely because no one wants to take that on. Recommend that a business hire a skilled IT security headcount at market rates, and all the stakeholders will vote no. Ask a business "who is responsible for IT security? Who will handle an incident or breach?" And they will hire an IT security person after no one steps forward.

Exactly.

We have interviewed a fake cybersecurity specialist some time ago. And I still use this experience as the main evidence that a pure compliance role, without technical expertise in system administration, does not make any sense. "He will make sure that there is a firewall everywhere, but will not make sure that your database is only accessible from the EC2 instance that runs your web app".