119-HR-8880 Investigative Journalist Impact Analysis

Summary

What the bill does: mandates an independent GAO evaluation of federal cybersecurity initiatives aimed at small business owners, including awareness and use, coordination across programs, effectiveness, gaps in core concepts, and ways owners can secure capital to mitigate risks. The text authorizes no new spending (CUTGO), so near‑term fiscal effects are limited to GAO’s work within existing funds.

• Why it matters: multiple federal offerings exist today (e.g., CISA’s no‑cost services and guides; NIST’s Small Business Cybersecurity Corner and CSF 2.0 quick start; FTC’s practical playbooks). A systematic GAO study can show which ones small firms actually use and what measurably lowers risk. [1]CISA — Small and Medium-Sized Business Resources | CISA
• Risk baseline: the FBI’s Internet Crime Complaint Center logged about 1.01 million complaints and $20.877 billion in reported losses in 2025; business email compromise alone accounted for roughly $3.05 billion — costs that frequently hit smaller firms with limited resilience. [2]FBI — FBI Internet Crime Complaint Center (IC3) — 2025 Annual Report (PDF)

Economic Effects

Direct budget impact is minimal; potential economic effects flow from changes in how existing programs are coordinated, measured, and used by small firms.

• Reduced loss exposure if effective aids scale: Federal data show a large, rising cyber loss base ($20.877B in 2025 across complaints), with BEC at ~$3.05B. GAO‑driven clarity on what works could steer owners toward high‑yield controls and incident‑response basics that federal resources already provide at low/no cost. [2]FBI — FBI Internet Crime Complaint Center (IC3) — 2025 Annual Report (PDF)
• Better program efficiency: GAO has previously flagged that agencies have not fully assessed whether federal support actually mitigates risks (e.g., ransomware support), indicating room to improve performance measurement and coordination — the core aim of this bill. [3]U.S. Government Accountability Office (GAO) — Critical Infrastructure Protectio…
• Awareness and uptake: Today’s offerings include CISA’s small‑business guides and no‑cost services, NIST’s CSF 2.0 quick‑start for SMBs, and FTC training materials. Mapping who uses what — and why not — can target outreach, especially for micro‑firms without in‑house IT. [1]CISA — Small and Medium-Sized Business Resources | CISA
• Financing pathways: The study’s capital‑access lens could clarify when existing tools (e.g., SBA programming and trainings) support cybersecurity investments or where gaps persist — useful for owners facing upfront costs for MFA, backups, logging, and training. [4]U.S. Small Business Administration (SBA) — Protect Your Small Business from Cyb…
• Market spillovers: Verizon’s DBIR highlights threat patterns (e.g., third‑party and ransomware) that often burden SMBs; aligning federal help with those patterns could reduce supplier and customer knock‑on losses. [5]verizon.com

Social Effects

Cyber incidents at small firms cascade to workers, local customers, and supply chains.

• Employment exposure: Small businesses employ ~62.3 million people (about 45.9% of the private workforce). Even modest reductions in breach frequency and downtime can stabilize payrolls and local services. [6]SBA Office of Advocacy — Frequently Asked Questions About Small Business 2026 —…
• Equity and reach: GAO has noted outreach challenges in SBA programs (e.g., rural communities) — a reminder that any cybersecurity assistance must be discoverable and tailored for varied capabilities, languages, and budgets. [7]gao.gov
• Consumer confidence: FTC’s small‑business materials emphasize safeguard basics (passwords, updates, response planning). Wider use could reduce data‑exposure incidents that erode trust in neighborhood firms. [8]FTC — Cybersecurity for Small Business | Federal Trade Commission

Environmental Effects

The bill commissions a study; it does not mandate infrastructure changes. Direct environmental effects are negligible.

• Indirect effects are plausible only if subsequent agency actions drive materially higher use of cloud security, logging, or managed services. At system scale, data‑centre electricity demand is growing (U.S. DOE cites 176 TWh in 2023 with potential 2028 growth to 325–580 TWh; IEA estimates data centres at ~1.5% of global electricity in 2024). Any added demand from small‑business cybersecurity uptake would be marginal relative to these totals. [9]U.S. Department of Energy — DOE: Report on Rising Electricity Demand from Data…

Temporal Analysis

1. 0–6 months post‑enactment: GAO scoping, data calls to agencies, and instrument design (surveys/interviews). Limited external effects beyond agency and GAO workload.
2. 6–18 months: Evidence gathering and interim insights could prompt quick wins (e.g., consolidating duplicative web portals; targeted comms during National Small Business Week using CISA/NIST/FTC materials). [1]CISA — Small and Medium-Sized Business Resources | CISA
3. 18–36 months: Final report to Congress; if agencies implement recommendations, expect changes in program governance (clear owners, metrics), refined outreach to under‑served owner segments, and stronger alignment to prevalent threats (e.g., BEC, third‑party risks). [2]FBI — FBI Internet Crime Complaint Center (IC3) — 2025 Annual Report (PDF)

Unintended Consequences

Risks are modest for a study‑only bill but worth managing.

• Survey burden/fatigue for small firms and resource partners if data collection isn’t streamlined; mitigations include sampling, reuse of administrative data, and publishing respondent‑burden estimates.
• Metric myopia: programs may optimize to what’s measured (e.g., page views, webinar counts) rather than outcomes (reduced incident rates or loss severity). GAO’s prior critiques on assessing effectiveness underscore the need for outcome metrics. [3]U.S. Government Accountability Office (GAO) — Critical Infrastructure Protectio…
• Coordination friction: Prior GAO work shows the federal cybersecurity support landscape can be complex (e.g., dozens of SLTT‑related grant levers) — mapping may reveal overlaps that entail transition costs to rationalize. [11]U.S. Government Accountability Office (GAO) — Federal Grants: Numerous Programs…
• Expectation vs. funding: The report may surface capital needs for owners, but absent new appropriations, agencies may need to repurpose existing tools (loans, counseling, technical assistance) to fill gaps. [4]U.S. Small Business Administration (SBA) — Protect Your Small Business from Cyb…

Assessment

Overall stance: neutral. The bill’s direct effects are limited to an independent evaluation. If GAO’s findings are acted upon, the most likely impacts are improved coordination and higher uptake of existing, no‑cost resources (CISA/NIST/FTC), which could modestly reduce incident losses borne by small firms. Evidence of large environmental or fiscal impacts is unlikely absent subsequent legislation or agency policy changes. [1]CISA — Small and Medium-Sized Business Resources | CISA

Sourcing (selected)

Key references underpinning this analysis come from U.S. government and primary technical sources.

• Federal program baselines and aids for small firms: CISA, NIST CSF 2.0 Small Business materials, and FTC small‑business cybersecurity resources. [1]CISA — Small and Medium-Sized Business Resources | CISA
• Threat and loss data: FBI IC3 2025 Annual Report. [2]FBI — FBI Internet Crime Complaint Center (IC3) — 2025 Annual Report (PDF)
• Program effectiveness and coordination gaps: GAO reports on ransomware support assessment and on the complexity of federal cyber‑related grants. [3]U.S. Government Accountability Office (GAO) — Critical Infrastructure Protectio…
• Scale context for small businesses: SBA Office of Advocacy profiles and FAQs. [12]SBA Office of Advocacy — Office of Advocacy (SBA): 2025 Small Business Profiles…
• Environmental context: DOE/LBNL data‑centre energy analysis and IEA estimates. [9]U.S. Department of Energy — DOE: Report on Rising Electricity Demand from Data…
• Private‑sector threat pattern synthesis: Verizon’s 2025 Data Breach Investigations Report. [5]verizon.com