[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[S. 2735 Introduced in Senate (IS)]

<DOC>






115th CONGRESS
  2d Session
                                S. 2735

To amend the Small Business Act to provide for the establishment of an 
enhanced cybersecurity assistance and protections for small businesses, 
                        and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 24, 2018

 Mr. Risch (for himself and Mr. Peters) introduced the following bill; 
 which was read twice and referred to the Committee on Small Business 
                          and Entrepreneurship

_______________________________________________________________________

                                 A BILL


 
To amend the Small Business Act to provide for the establishment of an 
enhanced cybersecurity assistance and protections for small businesses, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Small Business Advanced 
Cybersecurity Enhancements Act of 2018''.

SEC. 2. FINDINGS.

    Congress finds the following:
            (1) Small businesses represent more than 97 percent of 
        total businesses in the United States and make up an essential 
        part of the supply chain to some of the largest companies, many 
        of which are in critical infrastructure sectors, from financial 
        and transportation organizations to power, water, and 
        healthcare suppliers.
            (2) Many small businesses do not have dedicated information 
        technology (``IT'') departments and must outsource IT functions 
        or assign these duties to an employee as a secondary function.
            (3) The Internet Crime Complaint Center within the 
        Department of Justice recorded 298,728 cybersecurity-related 
        complaints in its 2016 report.
            (4) There has been steady increases of cybersecurity-
        related complaints year over year since the year 2000, totaling 
        3,762,348.
            (5) Seventy-one percent of cyber attacks occurred in 
        businesses with fewer than 100 employees.
            (6) Only 14 percent of small- and medium-sized businesses 
        believe they have the ability to effectively mitigate cyber 
        risks and vulnerabilities.
            (7) Small businesses risk theft and manipulation of 
        sensitive data if they lack adequate cybersecurity measures.
            (8) The Better Business Bureau found that half of small 
        businesses could remain profitable for only 1 month if they 
        lost essential data.
            (9) Cyber crime is growing rapidly and the annual costs to 
        the global economy are estimated to reach over 
        $2,000,000,000,000 by 2019.
            (10) Cybersecurity is a global challenge where the security 
        threat, attacks, and techniques continually evolve and no 
        company, individual, or Federal agency is immune from these 
        threats.
            (11) Strong collaboration between the public and private 
        sector is essential in the fight against cyber crime.
            (12) There is a reluctance among small businesses to 
        voluntarily share information with government entities, and the 
        Federal Government should work proactively to incentivize and 
        encourage voluntary information sharing to improve the 
        cybersecurity posture of the United States.

SEC. 3. ENHANCED CYBERSECURITY ASSISTANCE AND PROTECTIONS FOR SMALL 
              BUSINESSES.

    Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) is 
amended by adding at the end the following:
            ``(9) Small business cybersecurity assistance and 
        protections.--
                    ``(A) Establishment of small business cybersecurity 
                assistance units.--The Administrator, in coordination 
                with the Secretary of Commerce, and in consultation 
                with the Secretary of Homeland Security and the 
                Attorney General, shall establish--
                            ``(i) in the Administration, a central 
                        small business cybersecurity assistance unit; 
                        and
                            ``(ii) within each small business 
                        development center, a regional small business 
                        cybersecurity assistance unit.
                    ``(B) Duties of the central small business 
                cybersecurity assistance unit.--
                            ``(i) In general.--The central small 
                        business cybersecurity assistance unit 
                        established under subparagraph (A)(i) shall 
                        serve as the primary interface for small 
                        business concerns to receive and share cyber 
                        threat indicators and defensive measures with 
                        the Federal Government.
                            ``(ii) Use of capability and process.--The 
                        central small business cybersecurity assistance 
                        unit shall use the capability and process 
                        certified pursuant to section 105(c)(2)(A) of 
                        the Cybersecurity Information Sharing Act of 
                        2015 (6 U.S.C. 1504(c)(2)(A)) to receive cyber 
                        threat indicators or defensive measures from 
                        small business concerns.
                            ``(iii) Application of cisa.--A small 
                        business concern that receives or shares cyber 
                        threat indicators and defensive measures with 
                        the Federal Government through the central 
                        small business cybersecurity assistance unit 
                        established under subparagraph (A)(i), or with 
                        any appropriate entity pursuant to section 
                        104(c) of the Cybersecurity Information Sharing 
                        Act of 2015 (6 U.S.C. 1503(c)), shall receive 
                        the protections and exemptions provided in such 
                        Act and this paragraph.
                    ``(C) Relation to nccic.--
                            ``(i) Central small business cybersecurity 
                        assistance unit.--The central small business 
                        cybersecurity assistance unit established under 
                        subparagraph (A)(i) shall be collocated with 
                        the national cybersecurity and communications 
                        integration center.
                            ``(ii) Access to information.--The national 
                        cybersecurity and communications integration 
                        center shall have access to all cyber threat 
                        indicators or defensive measures shared with 
                        the central small cybersecurity assistance unit 
                        established under subparagraph (A)(i) through 
                        the use of the capability and process described 
                        in subparagraph (B)(ii).
                    ``(D) Cybersecurity assistance for small 
                businesses.--The central small business cybersecurity 
                assistance unit established under subparagraph (A)(i) 
                shall--
                            ``(i) work with each regional small 
                        business cybersecurity assistance unit 
                        established under subparagraph (A)(ii) to 
                        provide cybersecurity assistance to small 
                        business concerns;
                            ``(ii) leverage resources from the 
                        Administration, the Department of Commerce, the 
                        Department of Homeland Security, the Department 
                        of Justice, the Department of the Treasury, the 
                        Department of State, and any other Federal 
                        department or agency the Administrator 
                        determines appropriate, in order to help 
                        improve the cybersecurity posture of small 
                        business concerns;
                            ``(iii) coordinate with the Department of 
                        Homeland Security to identify and disseminate 
                        information to small business concerns in a 
                        form that is accessible and actionable by small 
                        business concerns;
                            ``(iv) coordinate with the National 
                        Institute of Standards and Technology to 
                        identify and disseminate information to small 
                        business concerns on the most cost-effective 
                        methods for implementing elements of the 
                        cybersecurity framework of the National 
                        Institute of Standards and Technology 
                        applicable to improving the cybersecurity 
                        posture of small business concerns;
                            ``(v) seek input from the Office of 
                        Advocacy of the Administration to ensure that 
                        any policies or procedures adopted by any 
                        department, agency, or instrumentality of the 
                        Federal Government do not unduly add regulatory 
                        burdens to small business concerns in a manner 
                        that will hamper the improvement of the 
                        cybersecurity posture of those small business 
                        concerns; and
                            ``(vi) leverage resources and relationships 
                        with representatives and entities involved in 
                        the national cybersecurity and communications 
                        integration center to publicize the capacity of 
                        the Federal Government to assist small business 
                        concerns in improving cybersecurity practices.
                    ``(E) Enhanced cybersecurity protections for small 
                businesses.--
                            ``(i) In general.--Notwithstanding any 
                        other provision of law, no cause of action 
                        shall lie or be maintained in any court against 
                        any small business concern, and such action 
                        shall be promptly dismissed, if such action is 
                        related to or arises out of--
                                    ``(I) any activity authorized under 
                                this paragraph or the Cybersecurity 
                                Information Sharing Act of 2015 (6 
                                U.S.C. 1501 et seq.); or
                                    ``(II) any action or inaction in 
                                response to any cyber threat indicator, 
                                defensive measure, or other information 
                                shared or received pursuant to this 
                                paragraph or the Cybersecurity 
                                Information Sharing Act of 2015 (6 
                                U.S.C. 1501 et seq.).
                            ``(ii) Application.--The exception provided 
                        in section 105(d)(5)(D)(ii)(I) of the 
                        Cybersecurity Information Sharing Act of 2015 
                        (6 U.S.C. 1504(d)(5)(D)(ii)(I)) shall not apply 
                        to any cyber threat indicator or defensive 
                        measure shared or received by small business 
                        concerns pursuant to this paragraph or the 
                        Cybersecurity Information Sharing Act of 2015 
                        (6 U.S.C. 1501 et seq.).
                            ``(iii) Rule of construction.--Nothing in 
                        this subparagraph shall be construed to affect 
                        the applicability or merits of any defense, 
                        motion, or argument in any cause of action in a 
                        court brought against an entity that is not a 
                        small business concern.
                    ``(F) Definitions.--In this paragraph:
                            ``(i) CISA definitions.--The terms `cyber 
                        threat indicator' and `defensive measure' have 
                        the meanings given those terms in section 102 
                        of the Cybersecurity Information Sharing Act of 
                        2015 (6 U.S.C. 1501).
                            ``(ii) National cybersecurity and 
                        communications integration center.--The term 
                        `national cybersecurity and communications 
                        integration center' means the national 
                        cybersecurity and communications integration 
                        center established under section 227 of the 
                        Homeland Security Act of 2002 (6 U.S.C. 
                        148).''.

SEC. 4. PROHIBITION ON NEW APPROPRIATIONS.

    (a) In General.--No additional funds are authorized to be 
appropriated to carry out this Act and the amendments made by this Act.
    (b) Existing Funding.--This Act and the amendments made by this Act 
shall be carried out using amounts made available under section 
21(a)(4)(C)(viii) of the Small Business Act (15 U.S.C. 
648(a)(4)(C)(viii)).
    (c) Technical and Conforming Amendment.--Section 21(a)(4)(C)(viii) 
of the Small Business Act (15 U.S.C. 648(a)(4)(C)(viii)) is amended to 
read as follows:
                            ``(viii) Limitation.--
                                    ``(I) Cybersecurity assistance.--
                                From the funds appropriated pursuant to 
                                clause (vii), the Administration shall 
                                reserve not less than $1,000,000 in 
                                each fiscal year to develop 
                                cybersecurity assistance units at small 
                                business development centers under 
                                paragraph (9).
                                    ``(II) Portable assistance.--
                                            ``(aa) In general.--Any 
                                        funds appropriated pursuant to 
                                        clause (vii) that are remaining 
                                        after reserving amounts under 
                                        subclause (I) may be used for 
                                        portable assistance for startup 
                                        and sustainability non-matching 
                                        grant programs to be conducted 
                                        by eligible small business 
                                        development centers in 
                                        communities that are 
                                        economically challenged as a 
                                        result of a business or 
                                        government facility down sizing 
                                        or closing, which has resulted 
                                        in the loss of jobs or small 
                                        business instability.
                                            ``(bb) Grant amount and 
                                        use.--A non-matching grant 
                                        under this clause shall not 
                                        exceed $100,000, and shall be 
                                        used for small business 
                                        development center personnel 
                                        expenses and related small 
                                        business programs and 
                                        services.''.
                                 <all>