[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2666 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 2666

To improve assistance provided by the Hollings Manufacturing Extension 
  Partnership to small manufacturers in the defense industrial supply 
  chain on matters relating to cybersecurity, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 12, 2018

Mr. Coons (for himself, Mr. Graham, and Mrs. Gillibrand) introduced the 
 following bill; which was read twice and referred to the Committee on 
                 Commerce, Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
To improve assistance provided by the Hollings Manufacturing Extension 
  Partnership to small manufacturers in the defense industrial supply 
  chain on matters relating to cybersecurity, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Enhance Cybersecurity for Small 
Manufacturers Act of 2018''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) According to the Bureau of Labor Statistics, there are 
        more than 347,000 manufacturing establishments in the United 
        States, of which 72 percent have fewer than 20 employees and 99 
        percent have fewer than 500 employees.
            (2) Independent studies from the National Defense Industry 
        Association, the Defense Science Board, the Alliance for 
        Manufacturing Foresight, and the McKinsey Global Institute have 
        highlighted--
                    (A) the centrality of small manufacturers to United 
                States manufacturing supply chains for domestic 
                economic growth;
                    (B) the vulnerability of such manufacturers to the 
                defense industrial base for national security; and
                    (C) the vulnerability of such manufacturers to 
                cybersecurity threats and breaches.
            (3) As of December 31, 2017, Department of Defense 
        suppliers must comply with new, tougher cybersecurity 
        requirements to ensure adequate security to protect controlled 
        unclassified information relevant to defense manufacturing 
        supply chains. The requirements call for defense suppliers to 
        implement and create a plan of action to respond to the 
        guidance developed by the National Institute of Standards and 
        Technology.
            (4) The Department of Commerce has found significant 
        cybersecurity vulnerability of small manufacturers. A survey of 
        9,000 contract facilities documented that 6,650 small 
        facilities lagged behind medium and large firms across a broad 
        range of 20 cybersecurity indicators. For several indicators, 
        fewer than half of small firms had cybersecurity measures in 
        place.
            (5) Over the past 5 years the national network of centers 
        operating as part of the Hollings Manufacturing Extension 
        Partnership has worked closely with the Department of Defense 
        to bolster the resilience of the defense industrial base supply 
        chain. Since 2013, such centers have completed more than 2,500 
        projects with 1,650 companies that are suppliers to the 
        Department of Defense.
            (6) In 2017, the Hollings Manufacturing Extension 
        Partnership interacted with more than 1,000 small manufacturers 
        on the cybersecurity requirements of the Department of Defense. 
        This work by the Hollings Manufacturing Extension Partnership 
        has revealed a significant lack of awareness of the Department 
        of Defense cybersecurity requirements and a deficiency of 
        financial and technical resources required to manage 
        cybersecurity risks. If cybersecurity vulnerabilities remain 
        unaddressed, defense supply chains face a higher likelihood of 
        serious and exploitable vulnerabilities, as well as a 
        substantial reduction in the number of suppliers compliant with 
        Department of Defense requirements, and thereby ineligible to 
        provide products and services to the Department of Defense.
            (7) The Hollings Manufacturing Extension Partnership is 
        well positioned to aid suppliers of the Department of Defense 
        in complying with cybersecurity requirements of the Department 
        to ensure adequate security to protect controlled unclassified 
        information relevant to defense manufacturing supply chains.

SEC. 3. ASSISTANCE FOR SMALL MANUFACTURERS IN THE DEFENSE INDUSTRIAL 
              SUPPLY CHAIN ON MATTERS RELATING TO CYBERSECURITY.

    (a) Definitions.--In this section:
            (1) Center.--The term ``Center'' has the meaning given such 
        term in section 25(a) of the National Institute of Standards 
        and Technology Act (15 U.S.C. 278k(a)).
            (2) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (3) Resources.--The term ``resources'' means guidelines, 
        tools, best practices, standards, methodologies, and other ways 
        of providing information.
            (4) Small business concern.--The term ``small business 
        concern'' means a small business concern as that term is used 
        in section 3 of the Small Business Act (15 U.S.C. 632).
            (5) Small manufacturer.--The term ``small manufacturer'' 
        means a small business concern that is a manufacturer.
            (6) State.--The term ``State'' means each of the several 
        States, Territories, and possessions of the United States, the 
        District of Columbia, and the Commonwealth of Puerto Rico.
    (b) Dissemination of Cybersecurity Resources.--
            (1) In general.--The Director of the National Institute of 
        Standards and Technology, in partnership with the Secretary of 
        Defense and acting through the Hollings Manufacturing Extension 
        Partnership, shall take such actions as may be necessary to 
        address a widespread lack of awareness of cybersecurity threats 
        among small manufacturers in the defense industrial supply 
        chain.
            (2) National reach.--The Director shall ensure that efforts 
        to increase awareness under paragraph (1) are carried out in 
        each State, by disseminating clear and concise resources to 
        help reduce cybersecurity risks faced by small manufacturers 
        described in paragraph (1).
            (3) Sector focus.--The Director shall carry out this 
        subsection with a focus on such industry sectors as the 
        Director considers critical, in consultation with the Secretary 
        of Defense.
            (4) Outreach events.--Under paragraph (1), the Director 
        shall conduct outreach. Such outreach may include live events 
        with a physical presence and outreach conducted through 
        Internet websites.
    (c) Voluntary Cybersecurity Self-Assessments.--The Director shall 
provide, through the Hollings Manufacturing Extension Partnership, 
assistance to help small manufacturers conduct voluntary self-
assessments in order to understand operating environments, 
cybersecurity requirements, and existing vulnerabilities.
    (d) Transfer of Research Findings and Expertise.--
            (1) In general.--The Director shall provide for the 
        transfer of technology and techniques developed at the National 
        Institute of Standards and Technology to Centers, and through 
        such Centers, to small manufacturers throughout the United 
        States to implement security measures that are adequate to 
        protect covered defense information, including controlled 
        unclassified information.
            (2) Use of other federal expertise and capabilities.--The 
        Director shall use, when appropriate, the expertise and 
        capabilities that exist in Federal agencies other than the 
        Institute, and federally sponsored laboratories.
            (3) Agreements.--In carrying out this subsection, the 
        Centers may enter into agreements with private industry, 
        institutes of higher education, or a State, United States 
        territory, local, or tribal government to ensure breadth and 
        depth of coverage to the United States defense industrial base 
        and to leverage resources.
    (e) Defense Acquisition Workforce Cyber Training Program.--The 
Secretary of Defense, in consultation with the Director, shall 
establish a cyber counseling certification program, or approve a 
similar existing program, to certify small business professionals and 
other relevant acquisition staff within the Department of Defense to 
provide cyber planning assistance to small manufacturers in the defense 
industrial supply chain.
                                 <all>