Date Published: April 14, 2026
Comments Due:
Email Questions to:
Author(s)
Daniel Eliot (NIST), Jeffrey Marron (NIST), Savann Thorn (NIST)
Announcement
According to the U.S. Small Business Administration Office of Advocacy, there are 34.8 million small businesses in the United States. Of those, 81.9% have no paid employees other than the owner or owners—termed “non-employer firms.” These include sole proprietors, freelancers, single-member limited liability companies (LLCs), independent contractors, gig economy workers, and others. This publication helps small firms with no employees and with minimal IT complexity use the NIST Cybersecurity Framework 2.0 to manage their cybersecurity risks. To make this information applicable to a broader audience, cybersecurity risk management considerations are included for businesses as they grow and hire employees—acknowledging that some non-employer firms may never hire additional employees. Many small businesses rely upon consultants, who are also a key audience for this report. While the guide is developed for a U.S. audience, it is recognized that many small businesses engage in international commerce or collaborations, and this document can be adapted to support the cybersecurity risk management of those efforts.
Cybersecurity White Paper (CSWP) 50 was initially published in 2009 as NIST IR 7621, Small Business Information Security: The Fundamentals. The publication underwent an initial revision in 2016 (NIST IR 7621, Rev.1). A pre-draft call for comments was issued in 2024, followed by an initial public draft and comment period on NIST IR 7621, Rev. 2. During the revision process, the publication was converted to CSWP 50, Small Business Cybersecurity: Non-Employer Firms.
Key Updates within CSWP 50:
- This revision has a narrowed scope. Previous versions of this publication discussed the broader topic of information security; this revised publication is now focused specifically on cybersecurity, which is a subset of information security.
- Based on community input, the audience was narrowed. Prior versions focused on “small business,” which is a very broad and diverse population. This revision is tailored to a more specific population—non-employer firms with minimal information technology (IT) complexity.
- Three notional use-cases were developed and added to the appendices.
- This revision changes in technology and recent updates to NIST publications, including the Cybersecurity Framework (CSF) 2.0 and the NIST IR 8286 series.
- The layout has been updated to present the information in a tabular format to enhance readability.
This report is designed to help small businesses use the NIST Cybersecurity Framework (CSF) 2.0 to manage their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees other than the owner, or “non-employer” firms as defined by the U.S. Small Business Administration. These firms are also often colloquially referred to as “solopreneurs.” While written for non-employer firms, the information in this document will also be useful to businesses with very few employees or with minimal IT infrastructure. The goal is to introduce fundamentals of a small business cybersecurity program in non-technical language to set a solid cybersecurity risk management foundation. Considerations for maturing cybersecurity risk management as the business scales are included, also making the document useful for entities of varying sizes. This publication is not all-encompassing, and implementation of a cybersecurity risk management strategy will vary based on the organization’s sector, size, resources, and contractual or regulatory requirements.
This report is designed to help small businesses use the NIST Cybersecurity Framework (CSF) 2.0 to manage their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees other than the owner, or “non-employer” firms as defined by the U.S. Small Business...
See full abstract
This report is designed to help small businesses use the NIST Cybersecurity Framework (CSF) 2.0 to manage their cybersecurity risks. The document is tailored to the smallest of businesses—those with no employees other than the owner, or “non-employer” firms as defined by the U.S. Small Business Administration. These firms are also often colloquially referred to as “solopreneurs.” While written for non-employer firms, the information in this document will also be useful to businesses with very few employees or with minimal IT infrastructure. The goal is to introduce fundamentals of a small business cybersecurity program in non-technical language to set a solid cybersecurity risk management foundation. Considerations for maturing cybersecurity risk management as the business scales are included, also making the document useful for entities of varying sizes. This publication is not all-encompassing, and implementation of a cybersecurity risk management strategy will vary based on the organization’s sector, size, resources, and contractual or regulatory requirements.
Hide full abstract
Keywords
cybersecurity; Cybersecurity Framework (CSF); cybersecurity risk management; information security; small business
Control Families
None selected
