One Week Left to Comment—Small Business Cybersecurity: Non-Employer Firms
There is one week left to comment on the Initial Public Draft (IPD) of NIST Internal Report (NIST IR) 7621 Revision 2, Small Business Cybersecurity: Non-Employer Firms. The comment period closes at 11:59 p.m. EDT on June 30, 2025.
Image Credit: Adobe
Brief Document Timeline
- October 2009 – NIST IR 7621, Small Business Information Security: The Fundamentals is first published.
- November 2016 – NIST IR 7621 Revision 1 is published.
- March 2024 – NIST issues a pre-draft call for comments for NIST IR 7621, Revision 2.
- May 2025 – Draft NIST IR 7621 Revision 2 Initial Public Draft, Small Business Cybersecurity: Non-Employer Firms, is published for public comment.
Key Updates within Revision 2
- This revision has a narrowed scope. Previous versions of this publication discussed the broader topic of information security; this revised publication is now focused specifically on cybersecurity, which is a subset of information security.
- The audience has also been narrowed. Prior versions were focused generally on “small business,” which is a very broad and diverse population. This revision is tailored to a more specific population—non-employer firms.
- Revision 2 reflects changes in technology and recent updates to NIST publications, including the Cybersecurity Framework (CSF) 2.0 and the NIST IR 8286 series.
- The layout has also been updated to present the information in a tabular format to enhance readability.
Submitting Comments
We value and welcome your input and look forward to your comments. The comment period closes at 11:59 p.m. EDT on June 30, 2025. Please enter comments into this comment template (xlsx) and email the template to ir7621-comments@nist.gov with “Comments on NIST IR 7621 R2” in the subject field.