[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 3024 Introduced in Senate (IS)]

<DOC>






114th CONGRESS
  2d Session
                                S. 3024

            To improve cyber security for small businesses.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              June 6, 2016

Mr. Vitter (for himself and Mr. Peters) introduced the following bill; 
 which was read twice and referred to the Committee on Small Business 
                          and Entrepreneurship

_______________________________________________________________________

                                 A BILL


 
            To improve cyber security for small businesses.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Small Business Cyber Security 
Improvements Act of 2016''.

SEC. 2. ROLE OF SMALL BUSINESS DEVELOPMENT CENTERS IN CYBER SECURITY 
              AND PREPAREDNESS.

    Section 21 of the Small Business Act (15 U.S.C. 648) is amended--
            (1) in subsection (a)(1), by striking ``and providing 
        access to business analysts who can refer small business 
        concerns to available experts:'' and inserting ``providing 
        access to business analysts who can refer small business 
        concerns to available experts; and, to the extent practicable, 
        providing assistance in furtherance of the Small Business 
        Development Center Cyber Strategy developed under section 4(c) 
        of the Small Business Cyber Security Improvements Act of 
        2016''; and
            (2) in subsection (c)(3)--
                    (A) in subparagraph (S), by striking ``and'' at the 
                end;
                    (B) in subparagraph (T), by striking the period and 
                inserting ``; and''; and
                    (C) by adding at the end of the following:
            ``(U) to the extent practicable, providing access to 
        external cyber security specialists to counsel, assist, and 
        inform small business concerns in furtherance of the Small 
        Business Development Center Cyber Strategy developed under 
        section 4(c) of the Small Business Cyber Security Improvements 
        Act of 2016.''.

SEC. 3. ADDITIONAL CYBER SECURITY ASSISTANCE FOR SMALL BUSINESS 
              DEVELOPMENT CENTERS.

    Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) is 
amended by adding at the end the following:
            ``(8) Cyber security assistance.--The Department of 
        Homeland Security, and any other Federal agency, in 
        coordination with the Department of Homeland Security, may 
        provide assistance to small business development centers, 
        through the dissemination of cyber security risk information 
        and other homeland security information, to help small business 
        concerns in developing or enhancing cyber security 
        infrastructure, cyber threat awareness, and cyber training 
        programs for employees.''.

SEC. 4. GAO STUDY ON SMALL BUSINESS CYBER SUPPORT SERVICES AND SMALL 
              BUSINESS DEVELOPMENT CENTER CYBER STRATEGY.

    (a) Definitions.--In this section--
            (1) the term ``Administrator'' means the Administrator of 
        the Small Business Administration;
            (2) the term ``association'' means the association 
        established under section 21(a)(3)(A) of the Small Business Act 
        (15 U.S.C. 648(a)(3)(A)) representing a majority of small 
        business development centers;
            (3) the terms ``Federal agency'', ``small business 
        concern'', and ``small business development center'' have the 
        meanings given such terms under section 3 of the Small Business 
        Act (15 U.S.C. 632); and
            (4) the term ``Secretary'' means the Secretary of Homeland 
        Security.
    (b) Review of Current Cyber Security Resources.--
            (1) In general.--The Comptroller General of the United 
        States shall conduct a review of the cyber security resources 
        of Federal agencies aimed at assisting small business concerns 
        with developing or enhancing cyber security infrastructure, 
        cyber threat awareness, or cyber training programs for 
        employees.
            (2) Content.--The review required under paragraph (1) shall 
        include the following:
                    (A) An accounting and description of all programs, 
                projects, and activities of Federal agencies that 
                provide assistance to small business concerns in 
                developing or enhancing cyber security infrastructure, 
                cyber threat awareness, or cyber training programs for 
                employees.
                    (B) An assessment of how widely utilized the 
                resources described under subparagraph (A) are by small 
                business concerns.
                    (C) A review of whether or not the resources 
                described in subparagraph (A) are--
                            (i) duplicative of other programs; or
                            (ii) structured in a manner that makes the 
                        resources accessible to and supportive of small 
                        business concerns.
            (3) Report.--The Comptroller General shall submit to 
        Congress, the Administrator, the Secretary, and the association 
        a report containing all findings and determinations made in 
        carrying out the review required under paragraph (1).
    (c) Small Business Development Center Cyber Strategy.--
            (1) In general.--Not later than 90 days after the date on 
        which the Comptroller General submits the report under 
        subsection (b)(3), the Administrator and the Secretary shall 
        begin to work collaboratively to develop a Small Business 
        Development Center Cyber Strategy.
            (2) Consultation.--In developing the strategy required 
        under paragraph (1), the Administrator and the Secretary shall 
        consult with entities representing the concerns of small 
        business development centers, including the association.
            (3) Content.--The strategy required under paragraph (1) 
        shall include, at minimum, the following:
                    (A) Plans for incorporating small business 
                development centers into cyber programs to enhance 
                services and streamline cyber assistance to small 
                business concerns.
                    (B) To the extent practicable, methods for 
                providing counsel and assistance to improve the cyber 
                security infrastructure, cyber threat awareness, and 
                cyber training programs for employees of small business 
                concerns, including--
                            (i) working to ensure individuals are aware 
                        of best practices in the areas of cyber 
                        security, cyber threat awareness, and cyber 
                        training;
                            (ii) working with individuals to develop 
                        cost-effective plans for implementing best 
                        practices in the areas described in clause (i);
                            (iii) entering into agreements, where 
                        practical, with Information Sharing and 
                        Analysis Centers or similar cyber information 
                        sharing entities to gain an awareness of 
                        actionable threat information that may be 
                        beneficial to small business concerns; and
                            (iv) providing referrals to area 
                        specialists when necessary.
                    (C) An analysis of--
                            (i) how programs, projects, and activities 
                        of Federal agencies identified by the 
                        Comptroller General in the report submitted 
                        under subsection (b)(3) can be leveraged by 
                        small business development centers to improve 
                        access to high quality cyber support for small 
                        business concerns;
                            (ii) additional resources small business 
                        development centers may need to effectively 
                        carry out the role of the small business 
                        development centers; and
                            (iii) how small business development 
                        centers can leverage existing partnerships and 
                        develop new partnerships with entities of the 
                        Federal Government, States, and local 
                        governments and in the private sector to 
                        improve the quality of cyber support services 
                        to small business concerns.
            (4) Delivery of strategy.--Not later than 180 days after 
        the date on which the Comptroller General submits the report 
        under subsection (b)(3), the Administrator and the Secretary 
        shall submit the strategy required under paragraph (1) to--
                    (A) the Committee on Homeland Security and 
                Governmental Affairs and the Committee on Small 
                Business and Entrepreneurship of the Senate; and
                    (B) the Committee on Homeland Security and the 
                Committee on Small Business of the House of 
                Representatives.
    (d) Prohibition on Additional Funds.--No additional funds are 
authorized to be appropriated to carry out this section.
                                 <all>