[Pages H5807-H5809]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                        SBA CYBER AWARENESS ACT

  Mr. DELGADO. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 2331) to require an annual report on the cybersecurity of 
the Small Business Administration, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 2331

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``SBA Cyber Awareness Act''.

     SEC. 2. CYBERSECURITY AWARENESS REPORTING.

       Section 10 of the Small Business Act (15 U.S.C. 639) is 
     amended by inserting after subsection (a) the following:
       ``(b) Cybersecurity Reports.--
       ``(1) Annual report.--Not later than 180 days after the 
     date of enactment of this subsection, and every year 
     thereafter, the Administrator shall submit a report to the 
     appropriate congressional committees that includes--
       ``(A) an assessment of the information technology (as 
     defined in section 11101 of title 40, United States Code) and 
     cybersecurity infrastructure of the Administration;
       ``(B) a strategy to increase the cybersecurity 
     infrastructure of the Administration;
       ``(C) a detailed account of any information technology 
     equipment or interconnected system or subsystem of equipment 
     of the Administration that was manufactured by an entity that 
     has its principal place of business located in the People's 
     Republic of China; and
       ``(D) an account of any cybersecurity risk or incident that 
     occurred at the Administration during the 2-year period 
     preceding the date on which the report is submitted, and any 
     action taken by the Administrator to respond to or remediate 
     any such cybersecurity risk or incident.
       ``(2) Additional reports.--If the Administrator determines 
     that there is a reasonable basis to conclude that a 
     cybersecurity risk or incident occurred at the 
     Administration, the Administrator shall--
       ``(A) not later than 7 days after the date on which the 
     Administrator makes that determination, notify the 
     appropriate congressional committees of the cybersecurity 
     risk or incident; and
       ``(B) not later than 30 days after the date on which the 
     Administrator makes a determination under subparagraph (A)--
       ``(i) provide notice to individuals and small business 
     concerns affected by the cybersecurity risk or incident; and
       ``(ii) submit to the appropriate congressional committees a 
     report, based on information available to the Administrator 
     as of the date which the Administrator submits the report, 
     that includes--

       ``(I) a summary of information about the cybersecurity risk 
     or incident, including how the cybersecurity risk or incident 
     occurred; and
       ``(II) an estimate of the number of individuals and small 
     business concerns affected by the cybersecurity risk or 
     incident, including an assessment of the risk of harm to 
     affected individuals and small business concerns.

       ``(3) Rule of construction.--Nothing in this subsection 
     shall be construed to affect the reporting requirements of 
     the Administrator under chapter 35 of title 44, United States 
     Code, in particular the requirement to notify the Federal 
     information security incident center under section 
     3554(b)(7)(C)(ii) of such title, or any other provision of 
     law.
       ``(4) Definitions.--In this subsection:
       ``(A) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(i) the Committee on Small Business and Entrepreneurship 
     of the Senate; and
       ``(ii) the Committee on Small Business of the House of 
     Representatives.
       ``(B) Cybersecurity risk; incident.--The terms 
     `cybersecurity risk' and `incident' have the meanings given 
     such terms, respectively, under section 2209(a) of the 
     Homeland Security Act of 2002.''.
  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New 
York (Mr. Delgado) and the gentleman from Ohio (Mr. Chabot) each will 
control 20 minutes.
  The Chair recognizes the gentleman from New York.


                             General Leave

  Mr. DELGADO. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and include extraneous material on the measure under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from New York?
  There was no objection.
  Mr. DELGADO. Mr. Speaker, I yield myself such time as I may consume.
  I rise in support of H.R. 2331, the SBA Cyber Awareness Act of 2019, 
which strengthens the Small Business Administration's cybersecurity 
infrastructure to handle and report cyber threats that affect small 
businesses.
  The Small Business Administration processes a significant amount of 
small business data, and protecting these businesses is essential to 
its mission. That is why they must protect its precious digital 
networks from cyberattacks. But after the massive data breach at the 
U.S. Office of Personnel Management, 75 percent of Americans are 
doubtful that the government can protect their personal information.
  With 28 million small business owners in the U.S. that provide 64 
percent of new private-sector jobs, America cannot afford for small 
businesses to lose faith in the SBA. Today, we take an important step 
to restore American confidence in the SBA's cybersecurity protections 
and prevent the harmful results of cyberattacks.

[[Page H5808]]

  H.R. 2331 ensures that the SBA has an effective cyber strategy and 
requires timely reporting of cyber incidents to Congress and affected 
individuals. Through these measures, the SBA will better serve the 
American small businesses that support the U.S. economy.
  I thank Congressman Crow and Congressman Balderson for working so 
diligently to strengthen the agency we oversee and protect the Nation's 
small business community that utilizes its services.
  I ask my fellow Members to support this bill, and I reserve the 
balance of my time.
  Mr. CHABOT. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of H.R. 2331, the SBA Cyber Awareness 
Act.
  In June 2015, the Office of Personnel Management, or OPM, discovered 
that background investigation records of current, former, and 
prospective Federal employees and contractors had been stolen from 
their system. That data breach affected 21.5 million individuals. 
Earlier in 2015, OPM discovered that the personal data of 4.2 million 
current and former Federal Government employees had also been stolen. 
This is absolutely unacceptable, and we must hold agencies accountable 
to secure their networks.
  While a much smaller agency, the SBA maintains important and 
sensitive data about loan recipients, government contractor 
information, and various other forms of personally identifiable 
information that hackers covet. That is why I am happy to support Mr. 
Crow's and Mr. Balderson's legislation, H.R. 2331, the SBA Cyber 
Awareness Act. This legislation mirrors legislation introduced in the 
last Congress by Senators Rubio and Cardin.
  The bill directs the SBA to issue reports that assess its 
cybersecurity infrastructure, including determining the country of 
origin of its IT components, and report cyber threats, breaches, and 
cyberattacks.
  This is a commonsense, bipartisan bill, and I urge my colleagues to 
support the measure.
  Mr. Speaker, I reserve the balance of my time.
  Mr. DELGADO. Mr. Speaker, I yield 5 minutes to the gentleman from 
Colorado (Mr. Crow), the sponsor of the bill.
  Mr. CROW. Mr. Speaker, I want to thank the gentleman from New York 
(Mr. Delgado) for yielding, and I want to thank Chairwoman Velazquez 
for prioritizing this critical issue and bringing our bill to the 
floor. I also want to thank my friend and colead on H.R. 2331, the 
gentleman from Ohio (Mr. Balderson), for his leadership on 
cybersecurity and small business issues and this bill in particular. I 
value his input and expertise on all of these issues.
  Mr. Speaker, I rise in strong support of this bipartisan legislation 
I introduced with Ranking Member Balderson, the SBA Cyber Awareness 
Act.
  The Small Business Administration houses vital information for small 
business owners and lenders. We must do everything we can to help the 
SBA protect its systems and the data of our Nation's small businesses.
  Our bill would require the SBA to be more proactive in protecting its 
data and more transparent in the event of a cyber breach.

  First, our bill requires the SBA to issue a report detailing its 
cybersecurity efforts within 6 months of enactment. This report must 
include an assessment of the SBA's existing IT and cybersecurity 
infrastructure and its strategy to address vulnerabilities.
  Notably, this bill ensures we are protecting ourselves against China 
by requiring an audit of any SBA system or IT equipment manufactured by 
a company headquartered in China.
  The report must detail every cybersecurity risk or incident in the 
last 2 years and the SBA's strategy to address them going forward.
  Second, our bill provides a framework for the SBA to follow in the 
event of future breaches, requiring timely notifications to Congress as 
well as the people in the small businesses affected. The bill also 
requires the SBA to submit a full report to both committees on how the 
cybersecurity risk or incident occurred and how many parties were 
affected.
  The goal of this bill is to put the SBA and the small businesses that 
it interacts with and that depend on it on the best footing possible to 
combat the rising threat of cyberattacks.
  I am very excited that this bill is up for a vote in the House today 
and has such strong bipartisan support.
  Mr. Speaker, I urge my colleagues to vote in support of our 
bipartisan legislation and thank everyone who had a hand in bringing it 
to the floor. It is an exciting day when we can focus on our Nation's 
small businesses and cyber infrastructure, and I am hopeful for this 
bill's quick consideration by the Senate.
  Mr. CHABOT. Mr. Speaker, in closing, I just want to thank Mr. 
Balderson and Mr. Crow for working together in a bipartisan manner on 
this very important legislation.
  I know Mr. Balderson wanted to be here today to speak on this. 
Unfortunately, I believe he had some airline issues, but I believe he 
will be submitting a statement for the Record.
  But again, we appreciate both Mr. Balderson and Mr. Crow's leadership 
on this.

                              {time}  1700

  We have seen a large increase in cybersecurity threats against not 
only the private sector, but also the public sector. We must remain 
vigilant to ensure the public's data does not end up in the wrong 
hands.
  This bipartisan legislation ensures that the SBA is better equipped 
to protect American citizens' data.
  Mr. Speaker, I urge my colleagues to support this, and I yield back 
the balance of my time.
  Mr. DELGADO. Mr. Speaker, the Small Business Administration fuels the 
U.S. economy, and through its lending and contracting programs, helps 
Americans start, build, and grow small businesses, but in doing so, the 
agency is tasked with handling vital information.
  As we all know, cyberattacks are very real, and nobody, not even the 
Federal Government, is immune.
  That is why this piece of legislation, H.R. 2331, is fundamental to 
the health of our national cyber infrastructure as it relates to small 
firms.
  The SBA must protect its digital networks from cyberattacks and 
collaborate more with Congress. Modernizing the agency's IT 
infrastructure and implementing an effective cyber strategy is the key 
component of this bill. Doing so guarantees the SBA can adequately and 
effectively defend its digital network.
  This bill also requires timely reporting of cyber incidents to 
Congress and affected individuals in the unfortunate event of a breach. 
The sharing of this information allows us to collaborate with the SBA 
to better address vulnerabilities in the system.
  Mr. Speaker, H.R. 2331 has bipartisan support, so I once again want 
to urge my colleagues to support the measure. I yield back the balance 
of my time.
  Mr. BALDERSON. Mr. Speaker, I rise today in support of H.R. 2331, the 
SBA Cyber Awareness Act of 2019. This bill has had my full support 
since its introduction and I am happy to support its passage today.
  I want to first thank my good friend, the gentleman from Colorado, 
for his leadership on this effort. It is nice to see Congress attempt 
to solve problems not only in a bipartisan manner, but also proactively 
before problems occur, rather than waiting until something goes wrong.
  This bill addresses a potential weakness within the Small Business 
Administration's cybersecurity infrastructure. By passing this bill, we 
will proactively guard against harmful and widespread cyberattacks by 
bringing the Small Business Administration's cybersecurity defenses 
into the 21st Century. This bill will protect the sensitive business 
and personal information of millions of small business owners across 
the country.
  In a rapidly-developing digital age, strong cybersecurity protections 
and reinforcements are of the utmost importance. Many small businesses 
don't have the defensive infrastructure to deal with cyberattacks, A 
threat to cybersecurity is a threat to small businesses' vitality. 
that's why this bill is so important.
  We, as Congress, must lift up the small businesses of America and 
ensure they have the support they need to address this ever-changing 
online environment. And this bill is a bipartisan example of that.
  Once again, I thank my colleague from Colorado for his proactive 
leadership, and I urge the passage of H.R. 2331.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from New York (Mr.

[[Page H5809]]

Delgado) that the House suspend the rules and pass the bill, H.R. 2331.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________