Bill Overview
Title: Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act
Description: This bill requires reporting and other efforts to improve the cybersecurity of small entities. These include small businesses, governments (or certain governmental bodies) that represent populations of less than 50,000, and small nonprofits. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) must periodically report on and make recommendations about cybersecurity policies and controls for small entities. CISA, the Small Business Administration (SBA), and the Minority Business Development Agency must (1) promote the report, including by making it available through their respective websites; and (2) make voluntary training and technical assistance available to employees of small entities concerning cybersecurity recommendations identified in the report. In addition, the Department of Commerce must report to Congress about improving the cybersecurity of small entities. Further, the SBA must collect information from small businesses concerning cybersecurity matters and report to Congress about the cybersecurity of small businesses.
Sponsors: Rep. Eshoo, Anna G. [D-CA-18]
Target Audience
Population: Individuals involved with small businesses, nonprofits, and local governments worldwide
Estimated Size: 60000000
- The bill targets small businesses, small nonprofits, and local governments with populations under 50,000.
- These entities have historically faced challenges in implementing advanced cybersecurity measures due to limited resources and expertise.
- The minority of businesses and nonprofit organizations often lack access to larger cybersecurity budgets and technical expertise compared to larger organizations.
Reasoning
- The policy is likely to primarily affect individuals directly working in or with small entities, such as IT managers, small business owners, and employees responsible for IT security in small local governments and nonprofits.
- The majority of small businesses and nonprofits have limited resources dedicated to implementing robust cybersecurity measures, so any financial or technical assistance could significantly boost their wellbeing by reducing stress and potential losses.
- It is important to include perspectives from those who will not see any changes due to the policy, such as employees in larger organizations with existing cybersecurity measures.
- Budget constraints and realistic implementation timelines should ensure that the policy is scaled appropriately, targeting the most vulnerable within the small entities sector.
- Not all individuals will directly feel the impact, such as those working in non-IT roles, where this policy might not address their immediate concerns, but overall organizational assurance could incrementally improve their wellbeing.
Simulated Interviews
IT Manager (Boulder, CO)
Age: 42 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 10/20
Statement of Opinion:
- The policy seems like a much-needed boost for cybersecurity awareness in small organizations like ours.
- Formal training and technical assistance would help us manage our cybersecurity risks better within our limited budget.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 5 |
| Year 5 | 9 | 5 |
| Year 10 | 9 | 4 |
| Year 20 | 8 | 3 |
Small Business Owner (Portland, ME)
Age: 29 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 5.0 years
Commonness: 15/20
Statement of Opinion:
- With this policy, we might finally get the cybersecurity support we desperately need.
- Hopefully, the policy will prevent future threats and help us keep our focus on the business aspects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 4 |
| Year 5 | 7 | 3 |
| Year 10 | 6 | 2 |
| Year 20 | 6 | 2 |
City IT Director (Montgomery, AL)
Age: 55 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 20.0 years
Commonness: 8/20
Statement of Opinion:
- This policy could be a game-changer for towns like ours where resources are tight.
- I hope this leads to more effective and enduring cybersecurity practices.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 4 |
| Year 3 | 8 | 4 |
| Year 5 | 9 | 3 |
| Year 10 | 9 | 3 |
| Year 20 | 8 | 3 |
Public Library Director (Topeka, KS)
Age: 37 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 12/20
Statement of Opinion:
- While we might not be the first target for threats, any policy improving cybersecurity is beneficial.
- Training and resources could be useful for prevention in the long term.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Freelance Cybersecurity Consultant (Santa Cruz, CA)
Age: 50 | Gender: other
Wellbeing Before Policy: 8
Duration of Impact: 20.0 years
Commonness: 5/20
Statement of Opinion:
- More cybersecurity competence in small entities will reduce the volume of crises I handle daily.
- It should reduce stress for all involved and align with best practices.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 9 | 7 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 5 |
| Year 10 | 9 | 5 |
| Year 20 | 8 | 5 |
Restaurant Manager (Tulsa, OK)
Age: 32 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 14/20
Statement of Opinion:
- While cybersecurity isn't my main concern, any additional support for small businesses is welcomed.
- I hope this policy doesn't mean more administrative work for us.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 4 |
| Year 10 | 6 | 4 |
| Year 20 | 6 | 4 |
Retired IT Executive (Madison, WI)
Age: 60 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 20.0 years
Commonness: 6/20
Statement of Opinion:
- It's promising to see initiatives aimed at closing the cybersecurity gaps in small nonprofits.
- Voluntary training is a superb idea since many nonprofits operate on volunteer power.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 9 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Chief Financial Officer (Roswell, NM)
Age: 45 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 7/20
Statement of Opinion:
- We face threats daily, and more resources would help alleviate constant pressures.
- The policy could integrate well with our expansion plans, preparing us for future growth.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 4 |
| Year 5 | 8 | 4 |
| Year 10 | 7 | 3 |
| Year 20 | 7 | 2 |
Small Business Consultant (Athens, GA)
Age: 39 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 9/20
Statement of Opinion:
- This policy could position cybersecurity higher on the priority list during client consultations.
- Continued focus on education and awareness will be key to success.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 3 |
Graduate Student (Salt Lake City, UT)
Age: 28 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 1.0 years
Commonness: 10/20
Statement of Opinion:
- An opportunity to connect theoretical knowledge with practical applications through this policy is great.
- The training provided could enhance my learning and career prospects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 5 |
Cost Estimates
Year 1: $100000000 (Low: $90000000, High: $120000000)
Year 2: $95000000 (Low: $85000000, High: $115000000)
Year 3: $90000000 (Low: $80000000, High: $110000000)
Year 5: $85000000 (Low: $75000000, High: $105000000)
Year 10: $80000000 (Low: $70000000, High: $100000000)
Year 100: $60000000 (Low: $50000000, High: $90000000)
Key Considerations
- Funding allocation to ensure all involved agencies can meet their new obligations without detriment to existing operations.
- Engagement strategies to ensure that small entities actually utilize the voluntary training and technical assistance offered.
- Measurement of the program's efficacy through metrics on cybersecurity incidents before and after implementation.