The Cybersecurity for Small Business Pilot Program
https://crsreports.congress.gov
August 7, 2024
The Cybersecurity for Small Business Pilot Program
Although cybercrimes against large companies often attract attention, criminals also frequently attack small businesses online. One 2022 report found that an average employee at a small business will be the target of 350% more “social engineering” cyberattacks (where individuals are manipulated into sharing information) than an employee at a larger company. Another survey that same year noted that over 30% of small and mid-size businesses in the United States lack written plans to respond to cyberattacks. At the same time, some experts suggest that small businesses may have less understanding of and resources for cybersecurity than larger firms.
Since 2022, the U.S. Small Business Administration (SBA) has operated the Cybersecurity for Small Business Pilot Program (CSBPP) to help small businesses enhance their cybersecurity. CSBPP provides grants to states, state agencies, and entities designated to conduct a state’s cybersecurity education to fund projects intended to help small businesses fend off online threats. To date, SBA has made nine awards worth a total of $9 million through CSBPP. SBA opened a new round of applications in July 2024 for CSBPP awards for FY2024.
This In Focus discusses the legislative and funding histories of CSBPP, program eligibility and award information, and selected issues for Congress.
Legislative History
Congress has taken interest in small business cybersecurity several times in recent years. In the 114th Congress, the National Defense Authorization Act for Fiscal Year 2017 (FY2017 NDAA; P.L. 114-328) required the SBA Administrator and the Secretary of Homeland Security to work together to develop a “Small Business Development Center Cyber Strategy” (Strategy). Among other things, the Strategy was to include:
• plans for allowing SBA’s Small Business Development
Centers (SBDCs; these provide technical assistance to small businesses) to access existing programs of the Department of Homeland Security (DHS) and other federal agencies to provide cybersecurity to small businesses;
• analyses of how SBDCs can use federal programs,
projects, and activities to improve access to cybersecurity for small businesses; and
• information on how SBDCs can partner with state and
local governments and private entities to improve the quality of cybersecurity services to small businesses.
The Strategy was completed in March 2019. Its recommendations included:
• centralizing cybersecurity information and resources on
SBA’s website for easy access by SBDCs and small businesses;
• compiling a digital directory of small business
cybersecurity resources;
• providing access to cybersecurity training resources; and
• expanding SBDC counselor expertise on cybersecurity.
In addition, the FY2017 NDAA amended Section 21 of the Small Business Act (P.L. 83-163, as amended; Section 21 authorizes the SBDC program and is in the U.S. Code at 15 U.S.C. §648) to require SBDCs to provide assistance to small businesses in accordance with the Strategy. The FY2017 NDAA also amended Section 21 to require SBDCs to provide small businesses with access to cybersecurity specialists at an SBDC.
In the 117th Congress, the Small Business Cyber Training Act of 2022 (P.L. 117-319) also amended Section 21 of the Small Business Act to require that SBA establish a cyber counseling certification program for employees of lead SBDCs. (SBDCs are comprised of lead SBDCs, which receive grants directly from SBA, and SBDC partner service centers, which are established by lead SBDCs.) P.L. 117-319 directed cyber-certified SBDC employees to provide cybersecurity planning assistance to small businesses. The law also required all lead SBDCs to have either five employees or 10% of the lead SBDC’s total employees obtain the certification. In August 2024, SBA opened the application for an organization to develop the cyber certification program for SBDCs.
Both P.L. 117-319 and the FY2017 NDAA amended 15 U.S.C. §648. CSBPP’s FY2024 notice of funding opportunity (NOFO) cited 15 U.S.C. §648 and P.L. 118-47 (which provided FY2024 appropriations for the program; discussed below) as authorities for the program.
While P.L. 117-319 and P.L. 114-328 provided general authority for SBA to provide cybersecurity assistance to small businesses, the 116th Congress directed SBA to stand up CSBPP through the Consolidated Appropriations Act, 2021 (P.L. 116-260). The law’s accompanying explanatory statement noted, “The agreement includes $3,000,000 for a Cybersecurity Assistance Pilot Program that will competitively award up to three grants to States to provide new small businesses with access to cybersecurity tools during their formative and most vulnerable years.”
The Cybersecurity for Small Business Pilot Program
https://crsreports.congress.gov
Appropriations and Awards
Congress has provided funding for CSBPP in annual appropriations bills each year since FY2021. CSBPP received a $3 million appropriation each year in FY2021, FY2022, FY2023, and FY2024.
In FY2022, SBA made three CSBPP awards worth a total of nearly $3 million: the Forge Institute in Arkansas, Dakota State University in South Dakota, and the state of Maryland all received awards. In FY2023, SBA made six CSBPP awards worth a total $6 million: Ohio State University, Old Dominion University in Virginia, University of Wyoming, and the states of Colorado, Hawaii, and Indiana all received awards. SBA anticipates making three awards in FY2024, each for between $1 million and $1.045 million.
Eligibility and Program Information
States, state agencies, and entities designated by a governor as the lead entity for conducting a state’s cybersecurity education are eligible to apply for CSBPP awards. All applications must include the written designation of a governor or the governor’s designee.
CSBPP is administered by SBA’s Office of Entrepreneurial Development. The FY2022 and FY2023 awards had a one- year performance period; the FY2024 awards have a two- year performance period.
CSBPP awards are to be used to develop and provide training, counseling, remediation, and other tailored cybersecurity services for small businesses. The program’s FY2024 NOFO stated that applicants are encouraged to work with SBA district offices, SBA resource partners (such as SBDCs and Women’s Business Centers), institutions of higher education, and private organizations such as chambers of commerce in developing cybersecurity services for small businesses.
Other Federal Resources
Although they are not grant programs, a number of other federal agencies offer resources to help small businesses with cybersecurity. These include:
• the Federal Communications Commission, which offers
a planning guide for small business cybersecurity;
• the National Institute of Standards and Technology,
which offers training guides on cybersecurity for small businesses;
• the Cybersecurity and Infrastructure Security Agency (a
DHS component), which offers guidance on how small businesses can implement cybersecurity measures and other resources.
In addition to CSBPP, SBA administers the Regional Innovation Clusters (RIC) program. RICs serve as networking hubs to help high-growth small businesses connect with other small and large businesses, as well as with specialized suppliers, academic institutions, service providers, and economic organizations in a geographic area. SBA’s FY2025 budget request noted that the agency intends to expand the RIC program’s coverage of industries of national importance, including cybersecurity.
Considerations for Congress
To date, SBA has made nine CSBPP awards worth a total of approximately $9 million. (As mentioned, SBA anticipates making three additional awards worth a total of $3 million in FY2024.) Congress could consider whether to require an assessment of CSBPP’s effectiveness, and whether to increase appropriations to the program and direct SBA to increase the number of awards made. Conversely, Congress may determine that CSBPP’s level of appropriations and number of awards have been sufficient.
In the 117th Congress, report language for the House version of the Financial Services and General Government Appropriations Act, 2023 (H.R. 8254) stated, “The Committee encourages SBA to require cybersecurity technical assistance in its Federal contracting support programs, particularly for small businesses competing for contracts in sensitive or classified fields.” SBA does not yet appear to have implemented such requirements. Congress may consider whether it still wants SBA to include such requirements in its contracting preference programs, and whether to direct SBA to do so.
Congress could consider whether to authorize additional programs for small business cybersecurity or, as mentioned, expand CSBPP. Additionally, Congress could direct a federal agency to conduct additional research on cybersecurity measures for small businesses. This may include updating the 2019 Small Business Development Center Cyber Strategy, or determining whether recommendations from that study have yet to be implemented.
Adam G. Levin, Analyst in Economic Development Policy
IF12732
The Cybersecurity for Small Business Pilot Program
https://crsreports.congress.gov | IF12732 · VERSION 1 · NEW
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you wish to copy or otherwise use copyrighted material.