[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 772 Reported in Senate (RS)]

<DOC>





                                                        Calendar No. 52
116th CONGRESS
  1st Session
                                 S. 772

To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 13, 2019

    Mr. Rubio (for himself, Mr. Cardin, Mr. Risch, and Mr. Hawley) 
introduced the following bill; which was read twice and referred to the 
            Committee on Small Business and Entrepreneurship

                             April 1, 2019

                Reported by Mr. Rubio, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``SBA Cyber Awareness 
Act''.</DELETED>

<DELETED>SEC. 2. CYBERSECURITY AWARENESS REPORTING.</DELETED>

<DELETED>    Section 10 of the Small Business Act (15 U.S.C. 639) is 
amended by striking subsection (b) and inserting the 
following:</DELETED>
<DELETED>    ``(b) Cybersecurity Reports.--</DELETED>
        <DELETED>    ``(1) Definition.--In this subsection, the term 
        `appropriate congressional committees' means--</DELETED>
                <DELETED>    ``(A) the Committee on Small Business and 
                Entrepreneurship of the Senate; and</DELETED>
                <DELETED>    ``(B) the Committee on Small Business of 
                the House of Representatives.</DELETED>
        <DELETED>    ``(2) Annual report.--Not later than 180 days 
        after the date of enactment of the SBA Cyber Awareness Act, and 
        every year thereafter, the Administration shall submit a report 
        to the appropriate congressional committees that includes--
        </DELETED>
                <DELETED>    ``(A) an assessment of the information 
                technology and cybersecurity of the 
                Administration;</DELETED>
                <DELETED>    ``(B) a strategy to increase the 
                cybersecurity of the Administration;</DELETED>
                <DELETED>    ``(C) a detailed account of any 
                information technology component or system of the 
                Administration that was manufactured by a company 
                located in the People's Republic of China; 
                and</DELETED>
                <DELETED>    ``(D) an account of any cyber threat, 
                breach, or cyber attack that occurred at the 
                Administration during the 2-year period preceding the 
                date on which the report is submitted, and any action 
                taken by the Administration to respond to or remediate 
                the cyber threat, breach, or cyber attack.</DELETED>
        <DELETED>    ``(3) Additional reports.--If the Administration 
        determines that there is a reasonable basis to conclude that a 
        cyber threat, breach, or cyber attack occurred at the 
        Administration, the Administration shall--</DELETED>
                <DELETED>    ``(A) not later than 7 days after the date 
                on which the Administration makes that determination, 
                notify the appropriate congressional committees of the 
                cyber threat, breach, or cyber attack; and</DELETED>
                <DELETED>    ``(B) not later than 30 days after the 
                date on which the Administration makes that 
                determination, submit to the appropriate congressional 
                committees a report that includes--</DELETED>
                        <DELETED>    ``(i) a summary of information 
                        about the cyber threat, breach, or cyber 
                        attack, including how the cyber threat, breach, 
                        or cyber attack occurred, based on information 
                        available to the Administration as of the date 
                        which the Administration submits the 
                        report;</DELETED>
                        <DELETED>    ``(ii) an estimate of the number 
                        of individuals and small entities affected by 
                        the cyber threat, breach, or cyber attack, 
                        including an assessment of the risk of harm to 
                        affected individuals and small entities based 
                        on information available to the Administration 
                        as of the date on which the Administration 
                        submits the report; and</DELETED>
                        <DELETED>    ``(iii) an estimate of when the 
                        Administration will provide notice to affected 
                        individuals and small entities.</DELETED>
        <DELETED>    ``(4) Rule of construction.--Nothing in this 
        subsection shall be construed to affect the reporting 
        requirements of the Administration under chapter 35 of title 44 
        United States Code, in particular the requirement to notify the 
        Federal information security incident center under section 
        3554(b)(7)(C)(ii) of such title, or any other provision of 
        law.''.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``SBA Cyber Awareness Act''.

SEC. 2. CYBERSECURITY AWARENESS REPORTING.

    Section 10 of the Small Business Act (15 U.S.C. 639) is amended by 
inserting after subsection (a) the following:
    ``(b) Cybersecurity Reports.--
            ``(1) Definitions.--In this subsection--
                    ``(A) the term `appropriate congressional 
                committees' means--
                            ``(i) the Committee on Small Business and 
                        Entrepreneurship of the Senate; and
                            ``(ii) the Committee on Small Business of 
                        the House of Representatives; and
                    ``(B) the term `major incident' has the meaning 
                given the term in the Office of Management and Budget 
                Memorandum on Federal Information Security and Privacy 
                Management Requirements, dated October 16, 2017 (M-18-
                02), or any successor memorandum.
            ``(2) Annual report.--Not later than 180 days after the 
        date of enactment of the SBA Cyber Awareness Act, and every 
        year thereafter, the Administration shall submit to the 
        appropriate congressional committees a report that includes--
                    ``(A) an assessment of the information technology 
                and cybersecurity of the Administration;
                    ``(B) a strategy to increase the cybersecurity of 
                the Administration;
                    ``(C) a detailed account of any information 
                technology component or system of the Administration 
                that was manufactured by a company located in the 
                People's Republic of China; and
                    ``(D) an account of any major incident that 
                occurred at the Administration during the 2-year period 
                preceding the date on which the report is submitted, 
                and any action taken by the Administration to respond 
                to or remediate the major incident.
            ``(3) Additional reports.--If the Administration determines 
        that there is a reasonable basis to conclude that a major 
        incident occurred at the Administration, the Administration 
        shall--
                    ``(A) not later than 7 days after the date on which 
                the Administration makes that determination, notify the 
                appropriate congressional committees of the major 
                incident; and
                    ``(B) not later than 30 days after the date on 
                which the Administration makes that determination, 
                submit to the appropriate congressional committees a 
                report that includes--
                            ``(i) a summary of information about the 
                        major incident, including how the major 
                        incident occurred, based on information 
                        available to the Administration as of the date 
                        which the Administration submits the report;
                            ``(ii) an estimate of the number of 
                        individuals and small entities affected by the 
                        major incident, including an assessment of the 
                        risk of harm to affected individuals and small 
                        entities based on information available to the 
                        Administration as of the date on which the 
                        Administration submits the report; and
                            ``(iii) an estimate of when the 
                        Administration will provide notice to affected 
                        individuals and small entities.
            ``(4) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements of the 
        Administration under chapter 35 of title 44 United States Code, 
        in particular the requirement to notify the Federal information 
        security incident center under section 3554(b)(7)(C)(ii) of 
        such title, or any other provision of law.''.
                                                        Calendar No. 52

116th CONGRESS

  1st Session

                                 S. 772

_______________________________________________________________________

                                 A BILL

To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.

_______________________________________________________________________

                             April 1, 2019

                       Reported with an amendment