[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3462 Reported in House (RH)]
<DOC>
Union Calendar No. 98
117th CONGRESS
1st Session
H. R. 3462
[Report No. 117-138]
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
May 21, 2021
Mr. Crow (for himself and Mrs. Kim of California) introduced the
following bill; which was referred to the Committee on Small Business
October 12, 2021
Reported from the Committee on Small Business; committed to the
Committee of the Whole House on the State of the Union and ordered to
be printed
_______________________________________________________________________
A BILL
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
Section 10 of the Small Business Act (15 U.S.C. 639) is amended by
inserting after subsection (a) the following:
``(b) Cybersecurity Reports.--
``(1) Annual report.--Not later than 180 days after the
date of enactment of this subsection, and every year
thereafter, the Administrator shall submit a report to the
appropriate congressional committees that includes--
``(A) an assessment of the information technology
(as defined in section 11101 of title 40, United States
Code) and cybersecurity infrastructure of the
Administration;
``(B) a strategy to increase the cybersecurity
infrastructure of the Administration;
``(C) a detailed account of any information
technology equipment or interconnected system or
subsystem of equipment of the Administration that was
manufactured by an entity that has its principal place
of business located in the People's Republic of China;
and
``(D) an account of any cybersecurity risk or
incident that occurred at the Administration during the
2-year period preceding the date on which the report is
submitted, and any action taken by the Administrator to
respond to or remediate any such cybersecurity risk or
incident.
``(2) Additional reports.--If the Administrator determines
that there is a reasonable basis to conclude that a
cybersecurity risk or incident occurred at the Administration,
the Administrator shall--
``(A) not later than 7 days after the date on which
the Administrator makes that determination, notify the
appropriate congressional committees of the
cybersecurity risk or incident; and
``(B) not later than 30 days after the date on
which the Administrator makes a determination under
subparagraph (A)--
``(i) provide notice to individuals and
small business concerns affected by the
cybersecurity risk or incident; and
``(ii) submit to the appropriate
congressional committees a report, based on
information available to the Administrator as
of the date which the Administrator submits the
report, that includes--
``(I) a summary of information
about the cybersecurity risk or
incident, including how the
cybersecurity risk or incident
occurred; and
``(II) an estimate of the number of
individuals and small business concerns
affected by the cybersecurity risk or
incident, including an assessment of
the risk of harm to affected
individuals and small business
concerns.
``(3) Rule of construction.--Nothing in this subsection
shall be construed to affect the reporting requirements of the
Administrator under chapter 35 of title 44, United States Code,
in particular the requirement to notify the Federal information
security incident center under section 3554(b)(7)(C)(ii) of
such title, or any other provision of law.
``(4) Definitions.--In this subsection:
``(A) Appropriate congressional committees.--The
term `appropriate congressional committees' means--
``(i) the Committee on Small Business and
Entrepreneurship of the Senate; and
``(ii) the Committee on Small Business of
the House of Representatives.
``(B) Cybersecurity risk; incident.--The terms
`cybersecurity risk' and `incident' have the meanings
given such terms, respectively, under section 2209(a)
of the Homeland Security Act of 2002.''.
Union Calendar No. 98
117th CONGRESS
1st Session
H. R. 3462
[Report No. 117-138]
_______________________________________________________________________
A BILL
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
_______________________________________________________________________
October 12, 2021
Committed to the Committee of the Whole House on the State of the Union
and ordered to be printed