Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act of 2021
This bill requires reporting and other efforts to improve the cybersecurity of small entities. These include small businesses, governments (or certain governmental bodies) that represent populations of less than 50,000, and small nonprofits.
Specifically, the Cybersecurity and Infrastructure Security Agency (CISA) must periodically report on and make recommendations about cybersecurity policies and controls for small entities. CISA, the Small Business Administration (SBA), and the Minority Business Development Agency must (1) promote the report, including by making it available through their respective websites; and (2) make voluntary training and technical assistance available to employees of small entities concerning cybersecurity recommendations identified in the report.
In addition, the Department of Commerce must report to Congress about improving the cybersecurity of small entities. Further, the SBA must collect information from small businesses concerning cybersecurity matters and report to Congress about the cybersecurity of small businesses.
Improving Cybersecurity of Small Organizations Act of 2021
This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to maintain and promote cybersecurity guidance for use by small organizations.
Specifically, the bill requires CISA to maintain cybersecurity guidance that documents and promotes evidence-based cybersecurity policies and controls for use by small organizations to improve their cybersecurity. This guidance must be publicly available at no cost, and CISA, the Small Business Administration (SBA), and the Department of Commerce must promote the guidance through relevant resources that are regularly used by small organizations.
Commerce must report on methods of incentivizing small organizations to improve their cybersecurity, including through the adoption of policies, controls, products, and services that have been demonstrated to reduce cybersecurity risk. Every two years, the SBA must submit and make publicly available specified data on the state of small businesses' cybersecurity.