Phone 202 839-5563 


Cyber liability and Data Breach Consulting

Everyone says smalls businesses are important. There are over 28,000,000 of them in the US. We need to start paying attention to them. 

Protecting Small Businesses from Cyber Threats while Strengthening Business Value

Cyber security and data protection are now national security issues impacting all U.S. businesses, no matter the size.  China and other nation states, as well as organized and disorganized criminals are stealing from all of us. They are disrupting the American way of life. It is time to take this seriously and protect everything valuable to us and our nation.

ASBDC Cybersecurity First Steps

Cybersecurity First Steps Purpose

  • Provide a free secure, standards-based tool to help small businesses understand the real threats against them.
  • Identify and Protect what information and data is important to keep secure.
  • Detect, Respond, and Recover from cyber and data breach events.

Americas Small Business Development Centers (ASBDC) Role:

We have over 4,500 business advisors at over 1,000 locations to support small businesses in the US and our territories. The traditional role of our advisors is to assist small businesses with business and marketing plans, set up bookkeeping, and help them gain access to capital.

Cybersecurity First Steps and advisors play an important role in making sure you consider the value and necessity of incorporating cyber and data protection into your business plans, policies, and normal activity.

amereicas small business development centers

Think of this  like generally accepted accounting principles, but for cybersecurity and data protection instead. The First Steps program will he provide a working document for you to share with others who may be able to assist you improve your company’s cyber security position.

First Steps is located on a FedRAMP  cloud platform.

All artifacts are stored on the secure cloud with appropriate control to access.

Cybersecurity First Steps Purpose is General in Nature

Even though First Steps provides good practices for all businesses, many businesses have additional specific requirements to fulfill if they retain certain types of information, such as Payment Card Information and/or Personal Health Information. Some businesses may need to comply with more extensive federal, state or industry specific regulatory requirements relating to data security and breach prevention.

Many funding sources and larger businesses are now requiring smaller businesses to show documentation that the smaller business is addressing cyber and data security within their business, as a requirement to securing funding or obtaining a contract to provide products or services. We are here to help you and your business.

Cybersecurity First Steps Has Two Components, a Questionnaire and a Living Report

The Questionnaire:

The questionnaire is completed securely online in approximately 30 minutes, to make you aware of areas you need to focus on to protect against cyber and data breach threats.

Advice within the questionnaire helps you understand how to address these threats. Many questions will be revisited as your organization updates your cyber posture.

Get started at:

cybersecurity first steps report

The Report:

Responses from the questionnaire are organized into an easily readable and digestible report. You may share this report with your SBDC advisor to help find  other resources. This will strengthen your organization’s cyber and data security.

Communications with supporting product and service providers are made easier. Good practices are easier for you  to share with this consistent standards-based approach.

Basic awareness videos and pdfs are provided in cooperation with the SBA, FTC, DHS, and NIST to share with your employees.

The report is updated every time changes are made to answers in the questionnaire. This  report grows in information as the organization grows, thus making it a living report.

ASBDC ADVISORS SHOULD NOT BE CONSIDERED CYBERSECURITY EXPERTS: One of our most important roles is to help you find qualified software, product, and service companies to help your business grow. Advisors are careful ) stay in a business advisement role and help you find “experts” that can assist you with the technical nature of cyber and data protection. We are happy to guide you if you need help walking though the questionnaire and reviewing the report.

SECURE PLATFORM: Cybersecurity First Steps is hosted on a FedRAMP secure cloud. You will see mention of FedRAMP in upcoming messaging associated with the Cybersecurity Maturity Model Certification (CMMC) by the Department of Defense (DoD).  This is a necessary approach for you to securely handle the confidential data of clients who complete the First Steps program.  Clients have total control and ownership of their data in this environment.

Cybersecurity Next Steps CMMC: The ASBDC is monitoring the development of the CMMC as it is being developed, to ensure that we will be able help small businesses who work with the DoD be compliant. The CMMC is also being discussed as the model that will apply to all US businesses that work with the federal government and may become a national standard that many U.S. businesses will need to comply with.

America’s Small Business Development Center’sCybersecurity First Steps” is made available through a grant from

Continuum GRC Inc, in partnership with the Delaware’s SBDC and the University of Delaware’s Office of Economic Innovation Partnerships.

Learn More about this effort.  Contact us : 

To Complete Cybersecurity First Steps Visit:

“America’s small businesses benefit from utilizing consistent standard based approaches to enhance their cyber security knowledge. This cannot be overstated. Businesses are safer, our nation more secure, and our economy stronger when efforts are coordinated to inform and train them.”

Charles “Tee” Rowe – President/CEO of America's Small Business Development Centers

"We will declare the first round of victory when small businesses are compelled into informed business decisions made obvious through use of the NIST Cybersecurity Framework."

Charlie Tupitza, President of RightExposure

"Small businesses are under persistent attack by both nation state and criminal threat actors. National security and the competitive advantage of the United States is being threatened. Supporting the mission of the ASBDC is our core focus."

Michael Peters, CEO, Continuum GRC

Large Organizations are Small Organizations Too

Large public and private organizations are comprised of big, medium and small organizational components. Sharing a common understanding and unified messaging is critical to delivering business/mission value and security. 

Small and mid-size businesses are the largest group of employers. Thinking of large organizations separately from this group ignores very important opportunities to increase business value and security because they are all connected and interdependent.

RightExposure helps small businesses and large businesses

FTC Guidance for Cyber

The Federal Trade Commission easy to follow guidance for small businesses. 
 The FTC is going to update and release new guidance Oct 18th.

Is Your Business Prepared for an Emergency?
Is Your Data?

When an emergency strikes, your business’s most vulnerable asset may not be in the stockroom or warehouse. It could be the data that has been central to your success.  The FTC has six steps you can take to help protect your company’s information from the unpredictable.  

Secure Paper, Physical Media, and Devices

federal trade commission

High-profile hackers grab the headlines. But some data thieves prefer old school methods – rifling through file cabinets, pinching paperwork, and pilfering devices like smartphones and flash drives. As your business bolsters the security of your network, don’t let that take attention away from how you secure documents and devices.

FTC law enforcement actions, closed investigations, and experiences we’ve heard from businesses demonstrate the wisdom of adopting a 360° approach to protecting confidential data. As Start with Security suggests, securing paper, physical media, and devices is an important part of that strategy.

Federal Communications Commission on Reasonableness

By clarifying that our standard is one of “reasonableness” rather than strict liability, we address one of the major concerns that providers—including small providers and their associations—raise in this proceeding.

Mitre Releases Supply Chain Guidance for DoD

“Deliver Uncompromised”

NIST 800-171 Controlled Unclassified Information

The protection of Controlled Unclassified Information (CUI) resident in non-federal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.

NIST releases 1.1 Roadmap to the NIST Cybersecurity Framework

Product or service to help  Business Risk Management including Cybersecurity

 Insurance Data Security Law

National Association of Insurance CommissionersThe National Association of Insurance Commissioners have released the “Insurance Data Security Law” The intent of this Act is to establish standards for data security and standards for the investigation of and notification to the Commissioner of a Cybersecurity Event applicable to Licensees.  This Act may not be construed to created or imply a private cause of action for violation of its provisions nor may it be construed to curtail a private cause of action which would otherwise exist in the absence of this Act.  Click to read Insurance Data Security Law

Definitions:  “The critical starting point is to align to a common set of defined terminology. When companies are looking to implement compliance programs, starting with an understanding of the key terminology and definitions is a good place to start. For well-developed information security programs, starting over with defining terms may be wasteful…”

 South Carolina Insurance Data Security Law

The purpose and intent of this act is to establish standards for data security and standards for the investigation of and notification to the director of a cybersecurity event applicable to licensees. This act may not be construd to create or imply a private cause of action for a violation of its provisions nor may it be construed to curtail a private cause of action which would otherwise exist in the absence of this act.

Controlled Unclassified Information Security Requirements Workshop

On Thursday, October 18, 2018, the National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), is hosting an informational workshop providing an overview of Controlled Unclassified Information (CUI), the Defense Acquisition Regulations System (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. 

"If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds."

"It is super invigorating to work with team members who have a singular focus which is driving greater value through greater product and capability out to the business." para phrasing his the rest of his comments: 'no body wants to do cyber or tech for the sake of tech. They want to solve a problem, that is real invigorating."

David Shive, CIO General Services Administration Tweet

“If you’re asking me if I think we’re at war, I think I’d say yes”…We’re at war right now in cyberspace. We’ve been at war for maybe a decade. They’re pouring oil over the castle walls every day.”

Gen Robert Neller, Commandant, USMC Tweet

Contact Us

Phone 202 839-5563 – – email

About us

Phasellus sodal dictum dolor quis fringilla. Nunc accumsan velit sit amet enim maximus solsodales.

Our mission

Help small businesses understand t

Our offer

  • sed accumsan enim rutrum
  • Etiam fringilla lobortis
  • Aenean iaculis magna