119 HR 4491 IH: SBA IT Modernization Reporting Act U.S. House of Representatives 2025-07-17 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

I119th CONGRESS1st SessionH. R. 4491IN THE HOUSE OF REPRESENTATIVESJuly 17, 2025Mr. Cisneros (for himself and Mr. Jack) introduced the following bill; which was referred to the Committee on Small BusinessA BILLTo require the Administrator of the Small Business Administration to implement certain recommendations relating to information technology modernization, and for other purposes.

1.

Short title

This Act may be cited as the SBA IT Modernization Reporting Act.

2.

Implementation of recommendations relating to information technology modernization for the Small Business Administration

(a)

In general

The Administrator of the Small Business Administration, acting through the Chief Information Officer of the Administration, shall take such actions as may be necessary to implement the recommendations contained in the report of the Comptroller General of the United States titled IT MODERNIZATION: SBA Urgently Needs to Address Risks on Newly Deployed System (GAO–25–106963; published November 6, 2024). (b)

Implementation plan

Not later than 180 days after the date of the enactment of this Act, the Administrator shall submit to the Committee on Small Business of the House of Representatives and the Committee on Small Business and Entrepreneurship of the Senate an implementation plan detailing the actions the Small Business Administration will undertake to establish and implement policies and procedures to govern information technology modernization projects of the Administration. Such policies and procedures shall, with respect to each project— (1)for each risk identified, explicitly state the source of such risk in the relevant risk documentation; (2)clearly define risk parameters; (3)establish and maintain risk management strategies; (4)identify and document risks for all phases of the life cycle; (5)evaluate, categorize, and prioritize risks based on defined risk parameters and develop project risk management plans; (6)connect measures to mitigate risk to risk mitigation plans; (7)require that any information technology acquisition plan and any strategic plan contains information needed to manage cyber risks; (8)require that a traceability analysis is performed and documented; (9)require that security-related subject matter experts are involved in selection process for contractors for a project; (10)develop master schedules using the guidelines contained in the publication of the Comptroller General titled GAO Schedule Assessment Guide: Best Practices for Project Schedules (GAO–16–89G; published December 22, 2015); and (11)develop cost estimates using the guidelines contained in the publication of the Comptroller General titled Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs (GAO–20–195G; published March 12, 2020). (c)

Additional requirements

The implementation plan required by this section shall include the actions required to carry out the requirements listed in paragraphs (1) through (11) of subsection (b), an identification of the office of the Administration responsible for implementation, and the timelines for completion of each action. (d)

Briefing required

Not later than 30 days after the submission of the implementation plan required under this section, the Administrator shall provide to the Committee on Small Business of the House of Representatives and the Committee on Small Business and Entrepreneurship of the Senate a briefing on the plan.