Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 7621 Rev. 2 (Initial Preliminary Draft)

PRE-DRAFT Call for Comments | Small Business Information Security: The Fundamentals

Date Published: March 18, 2024
Comments Due: May 16, 2024 (public comment period is CLOSED)
Email Questions to:



NIST plans to update NIST IR 7621 Rev. 1, Small Business Information Security: The Fundamentals and is issuing this Pre-Draft Call for Comments to solicit feedback. The public is invited to provide input by 12 p.m. ET on May 16, 2024. 


Since NIST IR 7621 Revision 1 was published in November of 2016, NIST has developed new frameworks for cybersecurity and risk management and released major updates to critical resources and references. This revision will focus on clarifying publication audience, making the document more user-friendly, aligning with other NIST guidance, updating the narrative with current approaches to cybersecurity risk management, and updating appendices. Before revising, NIST invites the public to suggest changes that would improve the document’s effectiveness, relevance, and general use to better help the small business community understand and manage their cybersecurity risk.

NIST welcomes feedback and input on any aspect of NIST IR 7621 and additionally proposes a list of non-exhaustive questions and topics for consideration:

  • How have you used or referenced NIST IR 7621?
  • What specific topics in NIST IR 7621 are most useful to you?
  • What challenges have you faced in applying the guidance in NIST IR 7621?
  • Is the document’s current level of specificity appropriate, too detailed, or too general? If the level of specificity is not appropriate, how can it be improved?
  • How can NIST improve the alignment between NIST IR 7621 and other frameworks and publications?
  • What new cybersecurity capabilities, challenges, or topics should be addressed?
  • What topics or sections currently in the document are out of scope, no longer relevant, or better addressed elsewhere?
  • Are there other substantive suggestions that would improve the document?
  • Are there additional appendices in NIST IR 7621, or resources outside NIST IR 7621, that would add value to the document?

The comment period closes 12 p.m. ET on May 16, 2024. Please submit comments to with "Comments on NIST IR 7621” in the subject field. Please use this comment template to submit your comments.

Control Families

None selected


See IR 7621r1

Supplemental Material:
Comment template (xlsx)

Document History:
03/18/24: IR 7621 Rev. 2 (Draft)