[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2483 Reported in Senate (RS)]
<DOC>
Calendar No. 573
117th CONGRESS
2d Session
S. 2483
[Report No. 117-217]
To require the Director of the Cybersecurity and Infrastructure
Security Agency to establish cybersecurity guidance for small
organizations, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 27, 2021
Ms. Rosen (for herself, Mr. Cornyn, Mr. Ossoff, and Ms. Hassan)
introduced the following bill; which was read twice and referred to the
Committee on Homeland Security and Governmental Affairs
December 5, 2022
Reported by Mr. Peters, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To require the Director of the Cybersecurity and Infrastructure
Security Agency to establish cybersecurity guidance for small
organizations, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Improving Cybersecurity of
Small Organizations Act of 2021''.</DELETED>
<DELETED>SEC. 2. IMPROVING CYBERSECURITY OF SMALL
ORGANIZATIONS.</DELETED>
<DELETED> (a) Definitions.--In this section:</DELETED>
<DELETED> (1) Administration.--The term ``Administration''
means the Small Business Administration.</DELETED>
<DELETED> (2) Administrator.--The term ``Administrator''
means the Administrator of the Administration.</DELETED>
<DELETED> (3) Commission.--The term ``Commission'' means the
Federal Trade Commission.</DELETED>
<DELETED> (4) Connected device.--The term ``connected
device'' means any electronic equipment that is--</DELETED>
<DELETED> (A) primarily designed for or marketed to
consumers;</DELETED>
<DELETED> (B) capable of connecting to the internet
or another communication network; and</DELETED>
<DELETED> (C) capable of sending, receiving, or
processing personal information.</DELETED>
<DELETED> (5) Cybersecurity guidance.--The term
``cybersecurity guidance'' means the cybersecurity guidance
maintained and promoted under subsections (b) and (c),
respectively.</DELETED>
<DELETED> (6) Director.--The term ``Director'' means the
Director of the Cybersecurity and Infrastructure Security
Agency.</DELETED>
<DELETED> (7) NIST.--The term ``NIST'' means the National
Institute of Standards and Technology.</DELETED>
<DELETED> (8) Secretary.--The term ``Secretary'' means the
Secretary of Commerce.</DELETED>
<DELETED> (9) Small business.--The term ``small business''
has the meaning given the term ``small business concern'' in
section 3 of the Small Business Act (15 U.S.C. 632).</DELETED>
<DELETED> (10) Small governmental jurisdiction.--The term
``small governmental jurisdiction'' has the meaning given the
term in section 601 of title 5, United States Code.</DELETED>
<DELETED> (11) Small nonprofit.--The term ``small
nonprofit'' has the meaning given the term ``small
organization'' in section 601 of title 5, United States
Code.</DELETED>
<DELETED> (12) Small organization.--The term ``small
organization'' means an organization that is unlikely to employ
a specialist in cybersecurity, including--</DELETED>
<DELETED> (A) a small business;</DELETED>
<DELETED> (B) a small nonprofit; and</DELETED>
<DELETED> (C) a small governmental
jurisdiction.</DELETED>
<DELETED> (b) Cybersecurity Guidance.--</DELETED>
<DELETED> (1) In general.--The Director shall maintain
cybersecurity guidance that documents and promotes evidence-
based cybersecurity policies and controls for use by small
organizations, which shall--</DELETED>
<DELETED> (A) include simple, basic controls that
have the most impact in protecting small organizations
against common cybersecurity threats and
risks;</DELETED>
<DELETED> (B) include guidance to address common
cybersecurity threats and risks posed by connected
devices that are personal to the employees and
contractors of small organizations, as well as
connected devices that are issued to those employees
and contractors by small organizations; and</DELETED>
<DELETED> (C) recommend--</DELETED>
<DELETED> (i) measures to improve the
cybersecurity of small organizations;
and</DELETED>
<DELETED> (ii) configurations and settings
for some of the most commonly used software
that can improve the cybersecurity of small
organizations.</DELETED>
<DELETED> (2) Consistency.--The Director shall ensure the
cybersecurity guidance maintained under paragraph (1) is
consistent with--</DELETED>
<DELETED> (A) cybersecurity resources developed by
NIST, as required by the NIST Small Business
Cybersecurity Act (Public Law 115-236); and</DELETED>
<DELETED> (B) the most recent version of the
Cybersecurity Framework, or successor resource,
maintained by NIST.</DELETED>
<DELETED> (3) Guidance for specific types of small
organizations.--The Director may include cybersecurity
guidance, as required under paragraph (1), appropriate for
specific types of small organizations in addition to guidance
applicable for all small organizations.</DELETED>
<DELETED> (4) Updates.--</DELETED>
<DELETED> (A) In general.--The Director shall review
the cybersecurity guidance maintained under paragraph
(1) not less frequently than annually and update the
cybersecurity guidance as appropriate.</DELETED>
<DELETED> (B) Consultation.--In updating the
cybersecurity guidance under subparagraph (A), the
Director shall, to the degree practicable and as
appropriate, consult with--</DELETED>
<DELETED> (i) the Administrator, the
Secretary, and the Commission;</DELETED>
<DELETED> (ii) small organizations,
insurers, State governments, companies that
work with small organizations, and academic and
Federal and non-Federal experts in
cybersecurity; and</DELETED>
<DELETED> (iii) any other entity as
determined by the Director.</DELETED>
<DELETED> (5) User interface.--As appropriate, the Director
shall consult with experts regarding the design of a user
interface for the cybersecurity guidance.</DELETED>
<DELETED> (c) Promotion of Cybersecurity Guidance for Small
Businesses.--</DELETED>
<DELETED> (1) Public availability.--The cybersecurity
guidance maintained under subsection (b)(1) shall be--
</DELETED>
<DELETED> (A) made available, prominently and free
of charge, on the public website of the Cybersecurity
Infrastructure Security Agency; and</DELETED>
<DELETED> (B) linked to from relevant portions of
the websites of the Administration and the Minority
Business Development Agency.</DELETED>
<DELETED> (2) Promotion generally.--The Director, the
Administrator, and the Secretary shall, to the degree
practicable, promote the cybersecurity guidance through
relevant resources that are intended for or known to be
regularly used by small organizations, including agency
documents, websites, and events.</DELETED>
<DELETED> (d) Report on Incentivizing Cybersecurity for Small
Organizations.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act, the Secretary shall submit to
Congress a report describing methods to incentivize small
organizations to improve their cybersecurity, including through
the adoption of policies, controls, products and services that
have been demonstrated to reduce cybersecurity risk.</DELETED>
<DELETED> (2) Matters to be included.--The report required
under paragraph (1) shall--</DELETED>
<DELETED> (A) identify barriers or challenges for
small organizations in purchasing or acquiring products
and services that promote the cybersecurity;</DELETED>
<DELETED> (B) assess market availability, market
pricing, and affordability of products and services
that promote the cybersecurity for small organizations,
with particular attention to identifying high-risk and
underserved sectors or regions;</DELETED>
<DELETED> (C) estimate the cost of tax breaks,
grants, subsidies, or other incentives to increase the
adoption of policies and controls or acquisition of
products and services that promote the cybersecurity of
small organizations;</DELETED>
<DELETED> (D) as practicable, consult the
certifications and requirement for cloud services
described in the final report of the Cyberspace
Solarium Commission established under section 1652 of
the John S. McCain National Defense Authorization Act
for Fiscal Year 2019 (Public Law 115-232; 132 Stat.
2140);</DELETED>
<DELETED> (E) describe evidence-based cybersecurity
controls and policies that improve cybersecurity for
small organizations;</DELETED>
<DELETED> (F) with respect to the incentives
described in subparagraph (C), recommend measures that
can effectively improve cybersecurity at scale for
small organizations; and</DELETED>
<DELETED> (G) include any other matters as the
Secretary determines relevant.</DELETED>
<DELETED> (3) Guidance for specific types of small
organizations.--In preparing the report required under
paragraph (1), the Secretary may include matters applicable for
specific types of small organizations in addition to matters
applicable to all small organizations.</DELETED>
<DELETED> (4) Consultation.--In preparing the report
required under paragraph (1), the Secretary shall consult
with--</DELETED>
<DELETED> (A) the Administrator, the Director, and
the Commission; and</DELETED>
<DELETED> (B) small organizations, insurers of risks
related to cybersecurity, State governments,
cybersecurity and information technology companies that
work with small organizations, and academic and Federal
and non-Federal experts in cybersecurity.</DELETED>
<DELETED> (e) Periodic Census on State of Cybersecurity of Small
Businesses.--</DELETED>
<DELETED> (1) In general.--Not later than 1 year after the
date of enactment of this Act and not less frequently than
every 24 months thereafter for not more than 10 years, the
Administrator shall submit to Congress and make publicly
available data on the state of cybersecurity of small
businesses, including--</DELETED>
<DELETED> (A) adoption of the cybersecurity guidance
among small businesses;</DELETED>
<DELETED> (B) the most significant and widespread
cybersecurity threats facing small
businesses;</DELETED>
<DELETED> (C) the amount small businesses spend on
cybersecurity products and services; and</DELETED>
<DELETED> (D) the personnel small businesses
dedicate to cybersecurity (including the amount of
total personnel time, whether by employees or
contractors, dedicated to cybersecurity
efforts).</DELETED>
<DELETED> (2) Form.--The report required under paragraph (1)
shall be produced in unclassified form but may contain a
classified annex.</DELETED>
<DELETED> (3) Consultation.--In preparing the report
required under paragraph (1), the Administrator shall consult
with--</DELETED>
<DELETED> (A) the Secretary, the Director, and the
Commission; and</DELETED>
<DELETED> (B) small businesses, insurers of risks
related to cybersecurity, cybersecurity and information
technology companies that work with small businesses,
and academic and Federal and non-Federal experts in
cybersecurity.</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Improving Cybersecurity of Small
Businesses, Nonprofits, and Local Governments Act of 2021''.
SEC. 2. IMPROVING CYBERSECURITY OF SMALL ENTITIES.
(a) Definitions.--In this section:
(1) Administrator.--The term ``Administrator'' means the
Administrator of the Small Business Administration.
(2) Annual cybersecurity report; small business; small
entity; small governmental jurisdiction; small organization.--
The terms ``annual cybersecurity report'', ``small business'',
``small entity'', ``small governmental jurisdiction'', and
``small organization'' have the meanings given those terms in
section 2220D of the Homeland Security Act of 2002, as added by
subsection (b).
(3) CISA.--The term ``CISA'' means the Cybersecurity and
Infrastructure Security Agency.
(4) Commission.--The term ``Commission'' means the Federal
Trade Commission.
(5) Secretary.--The term ``Secretary'' means the Secretary
of Commerce.
(b) Annual Report.--
(1) Amendment.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by
adding at the end the following:
``SEC. 2220D. ANNUAL CYBERSECURITY REPORT FOR SMALL ENTITIES.
``(a) Definitions.--
``(1) Administration.--The term `Administration' means the
Small Business Administration.
``(2) Administrator.--The term `Administrator' means the
Administrator of the Administration.
``(3) Annual cybersecurity report.--The term `annual
cybersecurity report' means the annual cybersecurity report
published and promoted under subsections (b) and (c),
respectively.
``(4) Commission.--The term `Commission' means the Federal
Trade Commission.
``(5) Electronic device.--The term `electronic device'
means any electronic equipment that is--
``(A) used by an employee or contractor of a small
entity for the purpose of performing work for the small
entity;
``(B) capable of connecting to the internet or
another communication network; and
``(C) capable of sending, receiving, or processing
personal information.
``(6) NIST.--The term `NIST' means the National Institute
of Standards and Technology.
``(7) Small business.--The term `small business' has the
meaning given the term `small business concern' in section 3 of
the Small Business Act (15 U.S.C. 632).
``(8) Small entity.--The term `small entity' means--
``(A) a small business;
``(B) a small governmental jurisdiction; and
``(C) a small organization.
``(9) Small governmental jurisdiction.--The term `small
governmental jurisdiction' means governments of cities,
counties, towns, townships, villages, school districts, or
special districts with a population of less than 50,000.
``(10) Small organization.--The term `small organization'
means any not-for-profit enterprise that is independently owned
and operated and is not dominant in its field.
``(b) Annual Cybersecurity Report.--
``(1) In general.--Not later than 180 days after the date
of enactment of this section, and not less frequently than
annually thereafter, the Director shall publish a report for
small entities that documents and promotes evidence-based
cybersecurity policies and controls for use by small entities,
which shall--
``(A) include basic controls that have the most
impact in protecting small entities against common
cybersecurity threats and risks;
``(B) include protocols and policies to address
common cybersecurity threats and risks posed by
electronic devices, regardless of whether the
electronic devices are--
``(i) issued by the small entity to
employees and contractors of the small entity;
or
``(ii) personal to the employees and
contractors of the small entity; and
``(C) recommend, as practicable--
``(i) measures to improve the cybersecurity
of small entities; and
``(ii) configurations and settings for some
of the most commonly used software that can
improve the cybersecurity of small entities.
``(2) Existing recommendations.--The Director shall ensure
that each annual cybersecurity report published under paragraph
(1) incorporates--
``(A) cybersecurity resources developed by NIST, as
required by the NIST Small Business Cybersecurity Act
(Public Law 115-236; 132 Stat. 2444); and
``(B) the most recent version of the Cybersecurity
Framework, or a successor resource, maintained by NIST.
``(3) Consideration for specific types of small entities.--
The Director may include and prioritize the development of
cybersecurity recommendations, as required under paragraph (1),
appropriate for specific types of small entities in addition to
recommendations applicable for all small entities.
``(4) Consultation.--In publishing the annual cybersecurity
report under paragraph (1), the Director shall, to the degree
practicable and as appropriate, consult with--
``(A) the Administrator, the Secretary of Commerce,
the Commission, and the Director of NIST;
``(B) small entities, insurers, State governments,
companies that work with small entities, and academic
and Federal and non-Federal experts in cybersecurity;
and
``(C) any other entity as determined appropriate by
the Director.
``(c) Promotion of Annual Cybersecurity Report for Small
Businesses.--
``(1) Publication.--The annual cybersecurity report, and
previous versions of the report as appropriate, published under
subsection (b)(1) shall be--
``(A) made available, prominently and free of
charge, on the public website of the Agency; and
``(B) linked to from relevant portions of the
websites of the Administration and the Minority
Business Development Agency, as determined by the
Administrator and the Director of the Minority Business
Development Agency, respectively.
``(2) Promotion generally.--The Director, the
Administrator, and the Secretary of Commerce shall, to the
degree practicable, promote the annual cybersecurity report
through relevant resources that are intended for or known to be
regularly used by small entities, including agency documents,
websites, and events.
``(d) Training and Technical Assistance.--The Director, the
Administrator, and the Director of the Minority Business Development
Agency shall make available to employees of small entities voluntary
training and technical assistance on how to implement the
recommendations of the annual cybersecurity report.''.
(2) Technical and conforming amendment.--The table of
contents in section 1(b) of the Homeland Security Act of 2002
(Public 107-296; 116 Stat. 2135) is amended by inserting after
the item relating to section 2220C the following:
``Sec. 2220D. Annual cybersecurity report for small entities.''.
(c) Report to Congress.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, and annually thereafter for 10 years,
the Secretary shall submit to Congress a report describing
methods to improve the cybersecurity of small entities,
including through the adoption of policies, controls, and
classes of products and services that have been demonstrated to
reduce cybersecurity risk.
(2) Matters to be included.--The report required under
paragraph (1) shall--
(A) identify barriers or challenges for small
entities in purchasing or acquiring classes of products
and services that promote the cybersecurity of small
entities;
(B) assess market availability, market pricing, and
affordability of classes of products and services that
promote the cybersecurity of small entities, with
particular attention to identifying high-risk and
underserved sectors or regions;
(C) estimate the costs and benefits of policies
that promote the cybersecurity of small entities,
including--
(i) tax breaks;
(ii) grants and subsidies; and
(iii) other incentives as determined
appropriate by the Secretary;
(D) describe evidence-based cybersecurity controls
and policies that improve the cybersecurity of small
entities;
(E) with respect to the incentives described in
subparagraph (C), recommend measures that can
effectively improve cybersecurity at scale for small
entities; and
(F) include any other matters as the Secretary
determines relevant.
(3) Specific sectors of small entities.--In preparing the
report required under paragraph (1), the Secretary may include
matters applicable for specific sectors of small entities in
addition to matters applicable to all small entities.
(4) Consultation.--In preparing the report required under
paragraph (1), the Secretary shall consult with--
(A) the Administrator, the Director of CISA, and
the Commission; and
(B) small entities, insurers of risks related to
cybersecurity, State governments, cybersecurity and
information technology companies that work with small
entities, and academic and Federal and non-Federal
experts in cybersecurity.
(d) Periodic Census on State of Cybersecurity of Small
Businesses.--
(1) In general.--Not later than 1 year after the date of
enactment of this Act, and not less frequently than every 24
months thereafter for 10 years, the Administrator shall submit
to Congress and make publicly available data on the state of
cybersecurity of small businesses, including, to the extent
practicable--
(A) adoption of the cybersecurity recommendations
from the annual cybersecurity report among small
businesses;
(B) the most significant and widespread
cybersecurity threats facing small businesses;
(C) the amount small businesses spend on
cybersecurity products and services; and
(D) the personnel small businesses dedicate to
cybersecurity, including the amount of total personnel
time, whether by employees or contractors, dedicated to
cybersecurity efforts.
(2) Voluntary participation.--In carrying out paragraph
(1), the Administrator shall collect data from small businesses
that participate on a voluntary basis.
(3) Form.--The data required under paragraph (1) shall be
produced in unclassified form but may contain a classified
annex.
(4) Consultation.--In preparing to collect the data
required under paragraph (1), the Administrator shall consult
with--
(A) the Secretary, the Director of CISA, and the
Commission; and
(B) small businesses, insurers of risks related to
cybersecurity, cybersecurity and information technology
companies that work with small businesses, and academic
and Federal and non-Federal experts in cybersecurity.
(5) Privacy.--In carrying out this subsection, the
Administrator shall ensure that any publicly available data is
anonymized and does not reveal personally identifiable
information.
(e) Rule of Construction.--Nothing in this section or the
amendments made by this section shall be construed to provide any
additional regulatory authority to CISA.
Calendar No. 573
117th CONGRESS
2d Session
S. 2483
[Report No. 117-217]
_______________________________________________________________________
A BILL
To require the Director of the Cybersecurity and Infrastructure
Security Agency to establish cybersecurity guidance for small
organizations, and for other purposes.
_______________________________________________________________________
December 5, 2022
Reported with an amendment