[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 772 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  1st Session
                                 S. 772

To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 13, 2019

 Mr. Rubio (for himself and Mr. Cardin) introduced the following bill; 
 which was read twice and referred to the Committee on Small Business 
                          and Entrepreneurship

_______________________________________________________________________

                                 A BILL


 
To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``SBA Cyber Awareness Act''.

SEC. 2. CYBERSECURITY AWARENESS REPORTING.

    Section 10 of the Small Business Act (15 U.S.C. 639) is amended by 
striking subsection (b) and inserting the following:
    ``(b) Cybersecurity Reports.--
            ``(1) Definition.--In this subsection, the term 
        `appropriate congressional committees' means--
                    ``(A) the Committee on Small Business and 
                Entrepreneurship of the Senate; and
                    ``(B) the Committee on Small Business of the House 
                of Representatives.
            ``(2) Annual report.--Not later than 180 days after the 
        date of enactment of the SBA Cyber Awareness Act, and every 
        year thereafter, the Administration shall submit a report to 
        the appropriate congressional committees that includes--
                    ``(A) an assessment of the information technology 
                and cybersecurity of the Administration;
                    ``(B) a strategy to increase the cybersecurity of 
                the Administration;
                    ``(C) a detailed account of any information 
                technology component or system of the Administration 
                that was manufactured by a company located in the 
                People's Republic of China; and
                    ``(D) an account of any cyber threat, breach, or 
                cyber attack that occurred at the Administration during 
                the 2-year period preceding the date on which the 
                report is submitted, and any action taken by the 
                Administration to respond to or remediate the cyber 
                threat, breach, or cyber attack.
            ``(3) Additional reports.--If the Administration determines 
        that there is a reasonable basis to conclude that a cyber 
        threat, breach, or cyber attack occurred at the Administration, 
        the Administration shall--
                    ``(A) not later than 7 days after the date on which 
                the Administration makes that determination, notify the 
                appropriate congressional committees of the cyber 
                threat, breach, or cyber attack; and
                    ``(B) not later than 30 days after the date on 
                which the Administration makes that determination, 
                submit to the appropriate congressional committees a 
                report that includes--
                            ``(i) a summary of information about the 
                        cyber threat, breach, or cyber attack, 
                        including how the cyber threat, breach, or 
                        cyber attack occurred, based on information 
                        available to the Administration as of the date 
                        which the Administration submits the report;
                            ``(ii) an estimate of the number of 
                        individuals and small entities affected by the 
                        cyber threat, breach, or cyber attack, 
                        including an assessment of the risk of harm to 
                        affected individuals and small entities based 
                        on information available to the Administration 
                        as of the date on which the Administration 
                        submits the report; and
                            ``(iii) an estimate of when the 
                        Administration will provide notice to affected 
                        individuals and small entities.
            ``(4) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements of the 
        Administration under chapter 35 of title 44 United States Code, 
        in particular the requirement to notify the Federal information 
        security incident center under section 3554(b)(7)(C)(ii) of 
        such title, or any other provision of law.''.
                                 <all>