Rosen, Cornyn, Eshoo Re-Introduce Bipartisan, Bicameral Bill to Improve Cybersecurity of Small Organizations

WASHINGTON, D.C. – Today, U.S. Senators Jacky Rosen (D-NV) and John Cornyn (R-TX) announced the re-introduction of their Improving Cybersecurity of Small Organizations Act. This bipartisan, bicameral legislation would require the Cybersecurity and Infrastructure Agency (CISA) to establish cybersecurity guidance to help small businesses, nonprofits, and local governments implement protections against cybersecurity threats and risks. Identical legislation will be introduced in the U.S. House of Representatives by Congresswoman Anna Eshoo (D-CA).

“Small organizations are increasingly vulnerable to cyberattacks, and many of them lack the resources to manage complex cyber risks,” said Senator Rosen. “I’m proud to introduce the Improving Cybersecurity of Small Organizations Act of 2021. This bipartisan and bicameral legislation will help protect our nation’s small businesses, nonprofits, and local governments from the growing threat of cyberattacks.”

“Nonprofits and small businesses are not immune to cybersecurity breaches, and their owners and leadership are often not aware of the cost-effective resources available for them to protect their customers and supporters,” said Senator Cornyn. “This legislation would provide smaller agencies and business owners with recommendations on how to keep their information secure and help Congress understand how we can best support them moving forward.”

“Small businesses, small nonprofits, and small local governments can’t afford to hire cybersecurity professionals, but they are still vulnerable to debilitating cyberattacks,” said Representative Eshoo. “I’m proud to introduce the bipartisan, bicameral Improving Cybersecurity of Small Organizations Act to require federal agencies to recommend easy-to-understand and evidence-based guidance that small organizations can adopt to improve their cybersecurity and protect everyone they serve.”

BACKGROUND: The Improving Cybersecurity of Small Organizations Act would:

  • Directs CISA to issue guidance that documents and promotes evidence-based cybersecurity policies and controls for small organizations (i.e., small businesses, nonprofits, and local governments);
  • Requires CISA, the Small Business Administration (SBA), and the Minority Business Development Agency to promote the cybersecurity guidance;
  • Requires the Secretary of Commerce to submit to Congress a report describing methods to incentivize small organizations to improve their cybersecurity; and
  • Requires the SBA to report on the state of small business cybersecurity every two years.