
	

115 HR 4668 RH: Small Business Advanced Cybersecurity Enhancements Act of 2017
U.S. House of Representatives
2017-12-18
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		IB
		Union Calendar No. 502
		115th CONGRESS2d Session
		H. R. 4668
		[Report No. 115–654]
		IN THE HOUSE OF REPRESENTATIVES
		
			December 18, 2017
			Mr. Chabot (for himself and Ms. Velázquez) introduced the following bill; which was referred to the Committee on Small Business
		
		April 25, 2018Additional sponsors: Mr. King of Iowa, Mrs. Radewagen, Miss González-Colón of Puerto Rico, Mr. Norman, Mr. Curtis, Ms. Clarke of New York, Mr. Lawson of Florida, Mr. Evans, and Ms. Rosen
			April 25, 2018
			Reported with an amendment, committed to the Committee of the Whole House on the State of the
			 Union, and ordered to be printed
			Strike out all after the enacting clause and insert the part printed in italic
			For text of introduced bill, see copy of bill as introduced on December 18, 2017
		
		
			
		
		A BILL
		To amend the Small Business Act to provide for the establishment of an enhanced cybersecurity
			 assistance and protections for small businesses, and for other purposes.
	
	
 1.Short titleThis Act may be cited as the Small Business Advanced Cybersecurity Enhancements Act of 2017. 2.FindingsCongress finds the following:
 (1)Small businesses represent more than 97 percent of total businesses in the United States and make up an essential part of the supply chain to some of the largest companies, many of which are in critical infrastructure sectors, from financial and transportation organizations to power, water, and healthcare suppliers.
 (2)Many small businesses do not have dedicated information technology (IT) departments and must outsource IT functions or assign these duties to an employee as a secondary function.
 (3)The Internet Crime Complaint Center within the United States Department of Justice recorded 298,728 cybersecurity-related complaints in its 2016 report.
 (4)There has been steady increases of cybersecurity-related complaints year over year since the year 2000, totaling 3,762,348.
 (5)Seventy-one percent of cyber attacks occurred in businesses with fewer than 100 employees. (6)Only 14 percent of small- and medium-sized businesses believe they have the ability to effectively mitigate cyber risks and vulnerabilities.
 (7)Small businesses risk theft and manipulation of sensitive data if they lack adequate cybersecurity measures.
 (8)The Better Business Bureau found that half of small businesses could remain profitable for only one month if they lost essential data.
 (9)Cyber crime is growing rapidly and the annual costs to the global economy are estimated to reach over $2,000,000,000,000 by 2019.
 (10)Cybersecurity is a global challenge where the security threat, attacks, and techniques continually evolve and no company, individual, or Federal agency is immune from these threats.
 (11)Strong collaboration between the public and private sector is essential in the fight against cyber crime.
 (12)There is a reluctance among small businesses to voluntarily share information with government entities, and the Federal Government should work proactively to incentivize and encourage voluntary information sharing to improve the Nation’s cybersecurity posture.
 3.Enhanced cybersecurity assistance and protections for small businessesSection 21(a) of the Small Business Act (15 U.S.C. 648(a)) is amended by adding at the end the following new paragraph:
			
				(9)Small business cybersecurity assistance and protections
 (A)Establishment of small business cybersecurity assistance unitsThe Administrator of the Small Business Administration, in coordination with the Secretary of Commerce, and in consultation with the Secretary of Homeland Security and the Attorney General, shall establish—
 (i)in the Administration, a central small business cybersecurity assistance unit; and (ii)within each small business development center, a regional small business cybersecurity assistance unit.
						(B)Duties of the central small business cybersecurity assistance unit
 (i)In generalThe central small business cybersecurity assistance unit established under subparagraph (A)(i) shall serve as the primary interface for small business concerns to receive and share cyber threat indicators and defensive measures with the Federal Government.
 (ii)Use of capability and processesThe central small business cybersecurity assistance unit shall use the capability and process certified pursuant to section 105(c)(2)(A) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1504(c)(2)(A)) to receive cyber threat indicators or defensive measures from small business concerns.
 (iii)Application of CISAA small business concern that receives or shares cyber threat indicators and defensive measures with the Federal Government through the central small business cybersecurity assistance unit established under subparagraph (A)(i), or with any appropriate entity pursuant to section 103(c) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1503(c)), shall receive the protections and exemptions provided in such Act and this paragraph.
						(C)Relation to NCCIC
 (i)Central small business cybersecurity assistance unitThe central small business cybersecurity assistance unit established under subparagraph (A)(i) shall be collocated with the national cybersecurity and communications integration center.
 (ii)Access to informationThe national cybersecurity and communications integration center shall have access to all cyber threat indicators or defensive measures shared with the central small cybersecurity assistance unit established under subparagraph (A)(i) through the use of the capability and process described in subparagraph (B)(ii).
 (D)Cybersecurity assistance for small businessesThe central small business cybersecurity assistance unit established under subparagraph (A)(i) shall—
 (i)work with each regional small business cybersecurity assistance unit established under subparagraph (A)(ii) to provide cybersecurity assistance to small business concerns;
 (ii)leverage resources from the Administration, the Department of Commerce, the Department of Homeland Security, the Department of Justice, the Department of the Treasury, the Department of State, and any other Federal department or agency the Administrator determines appropriate, in order to help improve the cybersecurity posture of small business concerns;
 (iii)coordinate with the Department of Homeland Security to identify and disseminate information to small business concerns in a form that is accessible and actionable by small business concerns;
 (iv)coordinate with the National Institute of Standards and Technology to identify and disseminate information to small business concerns on the most cost-effective methods for implementing elements of the cybersecurity framework of the National Institute of Standards and Technology applicable to improving the cybersecurity posture of small business concerns;
 (v)seek input from the Office of Advocacy of the Administration to ensure that any policies or procedures adopted by any department, agency, or instrumentality of the Federal Government do not unduly add regulatory burdens to small business concerns in a manner that will hamper the improvement of the cybersecurity posture of such small business concerns; and
 (vi)leverage resources and relationships with representatives and entities involved in the national cybersecurity and communications integration center to publicize the capacity of the Federal Government to assist small business concerns in improving cybersecurity practices.
						(E)Enhanced cybersecurity protections for small businesses
 (i)In generalNotwithstanding any other provision of law, no cause of action shall lie or be maintained in any court against any small business concern, and such action shall be promptly dismissed, if such action related to or arises out of—
 (I)any activity authorized under this paragraph or the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.); or
 (II)any action or inaction in response to any cyber threat indicator, defensive measure, or other information shared or received pursuant to this paragraph or the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.).
 (ii)ApplicationThe exception provided in section 105(d)(5)(D)(ii)(I) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1504(d)(5)(D)(ii)(I)) shall not apply to any cyber threat indicator or defensive measure shared or received by small business concerns pursuant to this paragraph or the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.).
 (iii)Rule of constructionNothing in this subparagraph shall be construed to affect the applicability or merits of any defense, motion, or argument in any cause of action in a court brought against an entity that is not a small business concern.
 (F)DefinitionsIn this paragraph: (i)CISA definitionsThe terms cyber threat indicator and defensive measure have the meanings given such terms in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
 (ii)National cybersecurity and communications integration centerThe term national cybersecurity and communications integration center means the national cybersecurity and communications integration center established under section 227 of the Homeland Security Act of 2002 (6 U.S.C. 148)..
		4.Prohibition on new appropriations
 (a)In generalNo additional funds are authorized to be appropriated to carry out this Act and the amendments made by this Act.
 (b)Existing fundingThis Act and the amendments made by this Act shall be carried out using amounts made available under section 21(a)(4)(C)(viii) of the Small Business Act (15 U.S.C. 648(a)(4)(viii)).
 (c)Technical and conforming amendmentSection 21(a)(4)(C)(viii) of the Small Business Act (15 U.S.C.648(a)(4)(C)(viii)) is amended to read as follows:
				
					(viii)Limitation
 (I)Cybersecurity assistanceFrom the funds appropriated pursuant to clause (vii), the Administration shall reserve not less than $1,000,000 in each fiscal year to develop cybersecurity assistance units at small business development centers under paragraph (9).
						(II)Portable assistance
 (aa)In generalAny funds appropriated pursuant to clause (vii) that are remaining after reserving amounts under subclause (I) may be used for portable assistance for startup and sustainability non-matching grant programs to be conducted by eligible small business development centers in communities that are economically challenged as a result of a business or government facility down sizing or closing, which has resulted in the loss of jobs or small business instability.
 (bb)Grant amount and useA non-matching grant under this subclause shall not exceed $100,000, and shall be used for small business development center personnel expenses and related small business programs and services..
			
	
		April 25, 2018
		Reported with an amendment, committed to the Committee of the Whole House on the State of the
			 Union, and ordered to be printed
