Policy Visualization

Bill Overview

Title: Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act of 2021

Description: This bill requires reporting and other efforts to improve the cybersecurity of small entities. These include small businesses, governments (or certain governmental bodies) that represent populations of less than 50,000, and small nonprofits. Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) must periodically report on and make recommendations about cybersecurity policies and controls for small entities. CISA, the Small Business Administration (SBA), and the Minority Business Development Agency must (1) promote the report, including by making it available through their respective websites; and (2) make voluntary training and technical assistance available to employees of small entities concerning cybersecurity recommendations identified in the report. In addition, the Department of Commerce must report to Congress about improving the cybersecurity of small entities. Further, the SBA must collect information from small businesses concerning cybersecurity matters and report to Congress about the cybersecurity of small businesses.

Sponsors: Sen. Rosen, Jacky [D-NV]

Target Audience

Population: Individuals and employees associated with small businesses, nonprofits, and local government bodies

Estimated Size: 150000000

The bill targets small entities including small businesses, governments serving populations under 50,000, and small nonprofits.
The bill includes measures and training provided through federal agencies to improve cybersecurity.
Small businesses make up the vast majority of businesses globally, with hundreds of millions of small businesses operating worldwide.
Small nonprofits and local governments represent a significant portion, but smaller relative to businesses.
Approximately 99% of businesses in the US are small businesses, suggesting tens of millions of such entities.
Local governments with populations under 50,000 are a significant portion of the over 90,000 local governments in the US.

Reasoning

Given the scope of the policy, the primary impact will be on individuals associated with small businesses, nonprofits, and local governments.
A significant portion of this population may not feel an immediate, high-impact change in wellbeing as the policy is mainly focused on security enhancements which may bring indirect benefits.
The impact is likely to be more about peace of mind, business sustainability, and prevention of negative events rather than immediate economic benefits.
A diverse range of individuals is required to ensure coverage from non-impacted persons to those who would benefit heavily from such measures.
The budget and target population suggests a large-scale program with moderate individual financial impact but potentially high value in terms of reduced risk of cyber threats.

Simulated Interviews

Small Business Owner (Tulsa, OK)

Age: 53 | Gender: female

Wellbeing Before Policy: 6

Duration of Impact: 10.0 years

Commonness: 5/20

Statement of Opinion:

I'm hopeful this policy will make my business safer.
It would be great to know what kind of cybersecurity measures are best for us.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	7	6
Year 2	7	6
Year 3	7	6
Year 5	8	5
Year 10	9	5
Year 20	8	4

IT Specialist for Local Government (Portland, ME)

Age: 28 | Gender: male

Wellbeing Before Policy: 7

Duration of Impact: 5.0 years

Commonness: 7/20

Statement of Opinion:

This policy is crucial for preventing data breaches.
I appreciate the additional resources available for training.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	8	7
Year 2	8	7
Year 3	8	7
Year 5	8	6
Year 10	7	6
Year 20	7	5

Manager at a nonprofit (Austin, TX)

Age: 35 | Gender: other

Wellbeing Before Policy: 5

Duration of Impact: 10.0 years

Commonness: 4/20

Statement of Opinion:

Improved cybersecurity is desperately needed in nonprofits.
I'm glad training is part of the package, it should help us a lot.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	6	5
Year 2	7	5
Year 3	7	5
Year 5	8	4
Year 10	9	4
Year 20	9	4

Tech Consultant (Rural Kansas)

Age: 40 | Gender: male

Wellbeing Before Policy: 6

Duration of Impact: 5.0 years

Commonness: 6/20

Statement of Opinion:

These resources can prevent tech issues I see regularly.
Glad to see cybersecurity awareness increasing in small towns.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	7	6
Year 2	7	6
Year 3	8	6
Year 5	8	6
Year 10	7	5
Year 20	7	5

Small Business Employee (Charlotte, NC)

Age: 45 | Gender: female

Wellbeing Before Policy: 5

Duration of Impact: 2.0 years

Commonness: 8/20

Statement of Opinion:

I don't think this impacts me directly, but our business could use better cybersecurity.
I'm not very tech-savvy, so training would be beneficial.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	5	5
Year 2	6	5
Year 3	6	5
Year 5	5	4
Year 10	4	4
Year 20	4	4

Freelancer (Miami, FL)

Age: 31 | Gender: male

Wellbeing Before Policy: 7

Duration of Impact: 7.0 years

Commonness: 9/20

Statement of Opinion:

Many of my clients could use this policy's training resources.
This could lead to more stable client work for me.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	8	7
Year 2	8	7
Year 3	8	6
Year 5	9	6
Year 10	8	5
Year 20	7	5

Retired (Denver, CO)

Age: 62 | Gender: female

Wellbeing Before Policy: 4

Duration of Impact: 0.0 years

Commonness: 11/20

Statement of Opinion:

I like the idea but don't see it affecting me directly.
Our nonprofit could benefit, but my personal involvement is limited.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	4	4
Year 2	4	4
Year 3	4	4
Year 5	4	4
Year 10	4	4
Year 20	3	3

CEO of a tech startup (Phoenix, AZ)

Age: 49 | Gender: male

Wellbeing Before Policy: 8

Duration of Impact: 3.0 years

Commonness: 9/20

Statement of Opinion:

Cybersecurity is critical and anything that advances it helps.
While useful, large organizations have more direct influence platforms.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	8	8
Year 2	8	8
Year 3	8	7
Year 5	7	7
Year 10	6	6
Year 20	6	5

Startup Employee (San Francisco, CA)

Age: 27 | Gender: female

Wellbeing Before Policy: 7

Duration of Impact: 5.0 years

Commonness: 6/20

Statement of Opinion:

I look forward to the free training opportunities this policy offers.
Major hacking incidents have been a concern among our team.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	7	7
Year 2	7	7
Year 3	8	7
Year 5	8	6
Year 10	7	5
Year 20	6	5

Local Government Clerk (Small Town, NH)

Age: 38 | Gender: other

Wellbeing Before Policy: 5

Duration of Impact: 5.0 years

Commonness: 7/20

Statement of Opinion:

The additional cybersecurity support is much needed in smaller towns.
I expect this policy could reduce my workload if successfully implemented.

Wellbeing Over Time (With vs Without Policy)

Year	With Policy	Without Policy
Year 1	6	5
Year 2	7	5
Year 3	7	5
Year 5	8	5
Year 10	7	5
Year 20	6	4

Cost Estimates

Year 1: $30000000 (Low: $25000000, High: $35000000)

Year 2: $31000000 (Low: $26000000, High: $36000000)

Year 3: $32000000 (Low: $27000000, High: $37000000)

Year 5: $34000000 (Low: $29000000, High: $39000000)

Year 10: $38000000 (Low: $32000000, High: $45000000)

Year 100: $60000000 (Low: $50000000, High: $70000000)

Key Considerations

Effectiveness of information dissemination and training programs will be critical to achieving the policy objectives.
Potential for waste if small entities are unable or unwilling to incorporate the guidance into their operations.
Coordination between CISA, SBA, and MBDA will be essential to minimize redundancy and ensure resource efficiency.
Scale and complexity of both the training and implementation efforts required across the vast number of small entities.