[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4491 Referred in Senate (RFS)]
<DOC>
119th CONGRESS
1st Session
H. R. 4491
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
December 2, 2025
Received; read twice and referred to the Committee on Small Business
and Entrepreneurship
_______________________________________________________________________
AN ACT
To require the Administrator of the Small Business Administration to
implement certain recommendations relating to information technology
modernization, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA IT Modernization Reporting
Act''.
SEC. 2. IMPLEMENTATION OF RECOMMENDATIONS RELATING TO INFORMATION
TECHNOLOGY MODERNIZATION FOR THE SMALL BUSINESS
ADMINISTRATION.
(a) In General.--The Administrator of the Small Business
Administration, acting through the Chief Information Officer of the
Administration, shall take such actions as may be necessary to
implement the recommendations contained in the report of the
Comptroller General of the United States titled ``IT MODERNIZATION: SBA
Urgently Needs to Address Risks on Newly Deployed System'' (GAO-25-
106963; published November 6, 2024).
(b) Implementation Plan.--Not later than 180 days after the date of
the enactment of this Act, the Administrator shall submit to the
Committee on Small Business of the House of Representatives and the
Committee on Small Business and Entrepreneurship of the Senate an
implementation plan detailing the actions the Small Business
Administration will undertake to establish and implement policies and
procedures to govern information technology modernization projects of
the Administration. Such policies and procedures shall, with respect to
each project--
(1) for each risk identified, explicitly state the source
of such risk in the relevant risk documentation;
(2) clearly define risk parameters;
(3) establish and maintain risk management strategies;
(4) identify and document risks for all phases of the life
cycle;
(5) evaluate, categorize, and prioritize risks based on
defined risk parameters and develop project risk management
plans;
(6) connect measures to mitigate risk to risk mitigation
plans;
(7) require that any information technology acquisition
plan and any strategic plan contains information needed to
manage cyber risks;
(8) require that a traceability analysis is performed and
documented;
(9) require that security-related subject matter experts
are involved in selection process for contractors for a
project;
(10) develop master schedules using the guidelines
contained in the publication of the Comptroller General titled
``GAO Schedule Assessment Guide: Best Practices for Project
Schedules'' (GAO-16-89G; published December 22, 2015); and
(11) develop cost estimates using the guidelines contained
in the publication of the Comptroller General titled ``Cost
Estimating and Assessment Guide: Best Practices for Developing
and Managing Program Costs'' (GAO-20-195G; published March 12,
2020).
(c) Additional Requirements.--The implementation plan required by
this section shall include the actions required to carry out the
requirements listed in paragraphs (1) through (11) of subsection (b),
an identification of the office of the Administration responsible for
implementation, and the timelines for completion of each action.
(d) Briefing Required.--Not later than 30 days after the submission
of the implementation plan required under this section, the
Administrator shall provide to the Committee on Small Business of the
House of Representa-
tives and the Committee on Small Business and Entrepreneurship of the
Senate a briefing on the plan.
Passed the House of Representatives December 1, 2025.
Attest:
KEVIN F. MCCUMBER,
Clerk.