[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5064 Received in Senate (RDS)]

<DOC>
114th CONGRESS
  2d Session
                                H. R. 5064


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 22, 2016

                                Received

_______________________________________________________________________

                                 AN ACT


 
  To amend the Small Business Act to allow small business development 
centers to assist and advise small business concerns on relevant cyber 
               security matters, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Improving Small Business Cyber 
Security Act of 2016''.

SEC. 2. ROLE OF SMALL BUSINESS DEVELOPMENT CENTERS IN CYBER SECURITY 
              AND PREPAREDNESS.

    Section 21 of the Small Business Act (15 U.S.C. 648) is amended--
            (1) in subsection (a)(1), by striking ``and providing 
        access to business analysts who can refer small business 
        concerns to available experts:'' and inserting ``providing 
        access to business analysts who can refer small business 
        concerns to available experts; and, to the extent practicable, 
        providing assistance in furtherance of the Small Business 
        Development Center Cyber Strategy developed under section 5(b) 
        of the Improving Small Business Cyber Security Act of 2016:''; 
        and
            (2) in subsection (c)--
                    (A) in paragraph (2)--
                            (i) in subparagraph (E), by striking 
                        ``and'' at the end;
                            (ii) in subparagraph (F), by striking the 
                        period and inserting ``; and''; and
                            (iii) by adding at the end of the 
                        following:
            ``(G) access to cyber security specialists to counsel, 
        assist, and inform small business concern clients, in 
        furtherance of the Small Business Development Center Cyber 
        Strategy developed under section 5(b) of the Improving Small 
        Business Cyber Security Act of 2016.''.

SEC. 3. ADDITIONAL CYBER SECURITY ASSISTANCE FOR SMALL BUSINESS 
              DEVELOPMENT CENTERS.

    Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) is 
amended by adding at the end the following:
            ``(8) Cyber security assistance.--The Department of 
        Homeland Security, and any other Federal department or agency 
        in coordination with the Department of Homeland Security, may 
        leverage small business development centers to provide 
        assistance to small businesses by disseminating cyber security 
        risk information and other homeland security information to 
        help small business concerns in developing or enhancing cyber 
        security infrastructure, cyber threat awareness, and cyber 
        training programs for employees.''.

SEC. 4. CYBER SECURITY OUTREACH FOR SMALL BUSINESS DEVELOPMENT CENTERS.

    Section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148) is 
amended--
            (1) by redesignating subsection (l) as subsection (m); and
            (2) by inserting after subsection (k) the following:
    ``(l) Cybersecurity Outreach.--
            ``(1) In general.--The Secretary may leverage small 
        business development centers to provide assistance to small 
        business concerns by disseminating information on cyber threat 
        indicators, defensive measures, cybersecurity risks, incidents, 
        analyses, and warnings to help small business concerns in 
        developing or enhancing cybersecurity infrastructure, cyber 
        threat awareness, and cyber training programs for employees.
            ``(2) Definitions.--For purposes of this subsection, the 
        terms `small business concern' and `small business development 
        center' have the meaning given such terms, respectively, under 
        section 3 of the Small Business Act.''.

SEC. 5. GAO STUDY ON SMALL BUSINESS CYBER SUPPORT SERVICES AND SMALL 
              BUSINESS DEVELOPMENT CENTER CYBER STRATEGY.

    (a) Review of Current Cyber Security Resources.--
            (1) In general.--The Comptroller General of the United 
        States shall conduct a review of current cyber security 
        resources at the Federal level aimed at assisting small 
        business concerns with developing or enhancing cyber security 
        infrastructure, cyber threat awareness, or cyber training 
        programs for employees.
            (2) Content.--The review required under paragraph (1) shall 
        include the following:
                    (A) An accounting and description of all Federal 
                Government programs, projects, and activities that 
                currently provide assistance to small business concerns 
                in developing or enhancing cyber security 
                infrastructure, cyber threat awareness, or cyber 
                training programs for employees.
                    (B) An assessment of how widely utilized the 
                resources described under subparagraph (A) are by small 
                business concerns and a review of whether or not such 
                resources are duplicative of other programs and 
                structured in a manner that makes them accessible to 
                and supportive of small business concerns.
            (3) Report.--The Comptroller General shall issue a report 
        to the Congress, the Administrator of the Small Business 
        Administration, the Secretary of Homeland Security, and any 
        association recognized under section 21(a)(3)(A) of the Small 
        Business Act containing all findings and determinations made in 
        carrying out the review required under paragraph (1).
    (b) Small Business Development Center Cyber Strategy.--
            (1) In general.--Not later than 90 days after the issuance 
        of the report under subsection (a)(3), the Administrator of the 
        Small Business Administration and the Secretary of Homeland 
        Security shall work collaboratively to develop a Small Business 
        Development Center Cyber Strategy.
            (2) Consultation.--In developing the strategy under this 
        subsection, the Administrator of the Small Business 
        Administration and the Secretary of Homeland Security shall 
        consult with entities representing the concerns of small 
        business development centers, including any association 
        recognized under section 21(a)(3)(A) of the Small Business Act.
            (3) Content.--The strategy required under paragraph (1) 
        shall include, at minimum, the following:
                    (A) Plans for leveraging small business development 
                centers (SBDCs) to access existing cyber programs of 
                the Department of Homeland Security and other 
                appropriate Federal agencies to enhance services and 
                streamline cyber assistance to small business concerns.
                    (B) To the extent practicable, methods for the 
                provision of counsel and assistance to improve a small 
                business concern's cyber security infrastructure, cyber 
                threat awareness, and cyber training programs for 
                employees, including--
                            (I) working to ensure individuals are aware 
                        of best practices in the areas of cyber 
                        security, cyber threat awareness, and cyber 
                        training;
                            (ii) working with individuals to develop 
                        cost-effective plans for implementing best 
                        practices in these areas;
                            (iii) entering into agreements, where 
                        practical, with Information Sharing and 
                        Analysis Centers or similar cyber information 
                        sharing entities to gain an awareness of 
                        actionable threat information that may be 
                        beneficial to small business concerns; and
                            (iv) providing referrals to area 
                        specialists when necessary.
                    (c) An analysis of--
                            (I) how Federal Government programs, 
                        projects, and activities identified by the 
                        Comptroller General in the report issued under 
                        subsection (a)(1) can be leveraged by SBDCs to 
                        improve access to high-quality cyber support 
                        for small business concerns;
                            (ii) additional resources SBDCs may need to 
                        effectively carry out their role; and
                            (iii) how SBDCs can leverage existing 
                        partnerships and develop new ones with Federal, 
                        State, and local government entities as well as 
                        private entities to improve the quality of 
                        cyber support services to small business 
                        concerns.
            (4) Delivery of strategy.--Not later than 180 days after 
        the issuance of the report under subsection (a)(3), the Small 
        Business Development Center Cyber Strategy shall be issued to 
        the Committees on Homeland Security and Small Business of the 
        House of Representatives and the Committees on Homeland 
        Security and Governmental Affairs and Small Business and 
        Entrepreneurship of the Senate.
    (c) Definition.--The term ``small business development center'' has 
the meaning given such term in section 3 of the Small Business Act (15 
U.S.C. 632).

SEC. 6. PROHIBITION ON ADDITIONAL FUNDS.

    No additional funds are authorized to be appropriated to carry out 
the requirements of this Act or the amendments made by this Act. Such 
requirements shall be carried out using amounts otherwise authorized.

            Passed the House of Representatives September 21, 2016.

            Attest:

                                                 KAREN L. HAAS,

                                                                 Clerk.