H.R. 2105 would direct the National Institute of Standards and Technology (NIST) to provide resources to small businesses to help them reduce their cybersecurity risks. Under the bill, NIST would be required to provide and update tools, methodologies, guidelines, and other resources to small business to use on a voluntary basis. Based on an analysis of information from NIST, CBO estimates that implementing H.R. 2105 would cost $6 million over the 2018-2022 period, including $2 million in 2018 for NIST to consult with several federal agencies and develop such resources and an additional $4 million over the 2019-2022 period to update those resources; such spending would be subject to the availability of appropriated funds.
Enacting H.R. 2105 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting H.R. 2105 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2028.
H.R. 2105 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act and would not affect the budgets of state, local, or tribal governments.
On May 5, 2017, CBO transmitted a cost estimate for S. 770, the MAIN STREET Cybersecurity Act of 2017, as ordered reported by the Senate Committee on Commerce, Science, and Transportation on April 5, 2017. The two bills are similar and CBO’s estimate of their budgetary effects is the same.