[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 772 Reported in Senate (RS)]
<DOC>
Calendar No. 52
116th CONGRESS
1st Session
S. 772
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 13, 2019
Mr. Rubio (for himself, Mr. Cardin, Mr. Risch, and Mr. Hawley)
introduced the following bill; which was read twice and referred to the
Committee on Small Business and Entrepreneurship
April 1, 2019
Reported by Mr. Rubio, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``SBA Cyber Awareness
Act''.</DELETED>
<DELETED>SEC. 2. CYBERSECURITY AWARENESS REPORTING.</DELETED>
<DELETED> Section 10 of the Small Business Act (15 U.S.C. 639) is
amended by striking subsection (b) and inserting the
following:</DELETED>
<DELETED> ``(b) Cybersecurity Reports.--</DELETED>
<DELETED> ``(1) Definition.--In this subsection, the term
`appropriate congressional committees' means--</DELETED>
<DELETED> ``(A) the Committee on Small Business and
Entrepreneurship of the Senate; and</DELETED>
<DELETED> ``(B) the Committee on Small Business of
the House of Representatives.</DELETED>
<DELETED> ``(2) Annual report.--Not later than 180 days
after the date of enactment of the SBA Cyber Awareness Act, and
every year thereafter, the Administration shall submit a report
to the appropriate congressional committees that includes--
</DELETED>
<DELETED> ``(A) an assessment of the information
technology and cybersecurity of the
Administration;</DELETED>
<DELETED> ``(B) a strategy to increase the
cybersecurity of the Administration;</DELETED>
<DELETED> ``(C) a detailed account of any
information technology component or system of the
Administration that was manufactured by a company
located in the People's Republic of China;
and</DELETED>
<DELETED> ``(D) an account of any cyber threat,
breach, or cyber attack that occurred at the
Administration during the 2-year period preceding the
date on which the report is submitted, and any action
taken by the Administration to respond to or remediate
the cyber threat, breach, or cyber attack.</DELETED>
<DELETED> ``(3) Additional reports.--If the Administration
determines that there is a reasonable basis to conclude that a
cyber threat, breach, or cyber attack occurred at the
Administration, the Administration shall--</DELETED>
<DELETED> ``(A) not later than 7 days after the date
on which the Administration makes that determination,
notify the appropriate congressional committees of the
cyber threat, breach, or cyber attack; and</DELETED>
<DELETED> ``(B) not later than 30 days after the
date on which the Administration makes that
determination, submit to the appropriate congressional
committees a report that includes--</DELETED>
<DELETED> ``(i) a summary of information
about the cyber threat, breach, or cyber
attack, including how the cyber threat, breach,
or cyber attack occurred, based on information
available to the Administration as of the date
which the Administration submits the
report;</DELETED>
<DELETED> ``(ii) an estimate of the number
of individuals and small entities affected by
the cyber threat, breach, or cyber attack,
including an assessment of the risk of harm to
affected individuals and small entities based
on information available to the Administration
as of the date on which the Administration
submits the report; and</DELETED>
<DELETED> ``(iii) an estimate of when the
Administration will provide notice to affected
individuals and small entities.</DELETED>
<DELETED> ``(4) Rule of construction.--Nothing in this
subsection shall be construed to affect the reporting
requirements of the Administration under chapter 35 of title 44
United States Code, in particular the requirement to notify the
Federal information security incident center under section
3554(b)(7)(C)(ii) of such title, or any other provision of
law.''.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
Section 10 of the Small Business Act (15 U.S.C. 639) is amended by
inserting after subsection (a) the following:
``(b) Cybersecurity Reports.--
``(1) Definitions.--In this subsection--
``(A) the term `appropriate congressional
committees' means--
``(i) the Committee on Small Business and
Entrepreneurship of the Senate; and
``(ii) the Committee on Small Business of
the House of Representatives; and
``(B) the term `major incident' has the meaning
given the term in the Office of Management and Budget
Memorandum on Federal Information Security and Privacy
Management Requirements, dated October 16, 2017 (M-18-
02), or any successor memorandum.
``(2) Annual report.--Not later than 180 days after the
date of enactment of the SBA Cyber Awareness Act, and every
year thereafter, the Administration shall submit to the
appropriate congressional committees a report that includes--
``(A) an assessment of the information technology
and cybersecurity of the Administration;
``(B) a strategy to increase the cybersecurity of
the Administration;
``(C) a detailed account of any information
technology component or system of the Administration
that was manufactured by a company located in the
People's Republic of China; and
``(D) an account of any major incident that
occurred at the Administration during the 2-year period
preceding the date on which the report is submitted,
and any action taken by the Administration to respond
to or remediate the major incident.
``(3) Additional reports.--If the Administration determines
that there is a reasonable basis to conclude that a major
incident occurred at the Administration, the Administration
shall--
``(A) not later than 7 days after the date on which
the Administration makes that determination, notify the
appropriate congressional committees of the major
incident; and
``(B) not later than 30 days after the date on
which the Administration makes that determination,
submit to the appropriate congressional committees a
report that includes--
``(i) a summary of information about the
major incident, including how the major
incident occurred, based on information
available to the Administration as of the date
which the Administration submits the report;
``(ii) an estimate of the number of
individuals and small entities affected by the
major incident, including an assessment of the
risk of harm to affected individuals and small
entities based on information available to the
Administration as of the date on which the
Administration submits the report; and
``(iii) an estimate of when the
Administration will provide notice to affected
individuals and small entities.
``(4) Rule of construction.--Nothing in this subsection
shall be construed to affect the reporting requirements of the
Administration under chapter 35 of title 44 United States Code,
in particular the requirement to notify the Federal information
security incident center under section 3554(b)(7)(C)(ii) of
such title, or any other provision of law.''.
Calendar No. 52
116th CONGRESS
1st Session
S. 772
_______________________________________________________________________
A BILL
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
_______________________________________________________________________
April 1, 2019
Reported with an amendment