IICalendar No. 52116th CONGRESS1st SessionS. 772IN THE SENATE OF THE UNITED STATESMarch 13, 2019Mr. Rubio (for himself, Mr. Cardin, Mr. Risch, and Mr. Hawley) introduced the following bill; which was read twice and referred to the Committee on Small Business and EntrepreneurshipApril 1, 2019Reported by Mr. Rubio, with an amendmentStrike out all after the enacting clause and insert the part printed in italicA BILLTo require an annual report on the cybersecurity of the Small Business Administration, and for
			 other purposes.
	
		1.Short titleThis Act may be cited as the
		  SBA Cyber Awareness Act.
		2.Cybersecurity awareness reportingSection 10 of the Small Business Act (15 U.S.C. 639) is amended by striking subsection (b) and
			 inserting the following:
			
				(b)Cybersecurity reports
					(1)DefinitionIn this subsection, the term appropriate congressional committees means—
						(A)the Committee on Small Business and Entrepreneurship of the Senate; and
						(B)the Committee on Small Business of the House of Representatives.
						(2)Annual reportNot later than 180 days after the date of enactment of the SBA Cyber Awareness Act, and every year thereafter, the Administration shall submit a report to the appropriate
			 congressional committees that includes—
						(A)an assessment of the information technology and cybersecurity of the Administration;
						(B)a strategy to increase the cybersecurity of the Administration;
						(C)a detailed account of any information technology component or system of the Administration that was
			 manufactured by a company located in the People's Republic of China; and
						(D)an account of any cyber threat, breach, or cyber attack that occurred at the Administration during
			 the 2-year period preceding the date on which the report is submitted, and
			 any action taken by the Administration to respond to or remediate the
			 cyber threat, breach, or cyber attack.
						(3)Additional reportsIf the Administration  determines that there is a reasonable basis to conclude that a cyber threat,
			 breach, or cyber attack occurred at the Administration, the Administration
			 shall—
						(A)not later than 7 days after the date on which the Administration makes that determination, notify
			 the appropriate congressional committees of the cyber threat, breach, or
			 cyber attack; and
						(B)not later than 30 days after the date on which the Administration makes that determination, submit
			 to the appropriate congressional committees a report that includes—
							(i)a summary of information about the cyber threat, breach, or cyber attack, including how the cyber
			 threat, breach, or cyber attack occurred, based on information available
			 to the Administration as of the date which the Administration submits the
			 report;
							(ii)an estimate of the number of individuals and small entities affected by the cyber threat, breach,
			 or cyber attack, including an assessment of the risk of harm to affected
			 individuals and small entities based on information available to the 
			 Administration as of the date on which the Administration submits the
			 report; and
							(iii)an estimate of when the Administration will provide notice to affected individuals and small
			 entities.
							(4)Rule of constructionNothing in this subsection shall be construed to affect the reporting requirements of the
			 Administration under chapter 35 of title 44 United States Code, in
			 particular the requirement to notify the Federal information security
			 incident center under section 3554(b)(7)(C)(ii) of such title, or any
			 other provision of law..
	
		1.Short titleThis Act may be cited as the
		  SBA Cyber Awareness Act.
		2.Cybersecurity awareness reportingSection 10 of the Small Business Act (15 U.S.C. 639) is amended by inserting after subsection (a)
			 the following:
			
				(b)Cybersecurity reports
					(1)DefinitionsIn this subsection—
						(A)the term appropriate congressional committees means—
							(i)the Committee on Small Business and Entrepreneurship of the Senate; and
							(ii)the Committee on Small Business of the House of Representatives; and
							(B)the term major incident has the meaning given the term in the Office of Management and Budget Memorandum on Federal
			 Information Security and Privacy Management Requirements, dated October
			 16, 2017 (M–18–02), or any successor memorandum.
						(2)Annual reportNot later than 180 days after the date of enactment of the SBA Cyber Awareness Act, and every year thereafter, the Administration shall submit to the appropriate
			 congressional committees a report that includes—
						(A)an assessment of the information technology and cybersecurity of the Administration;
						(B)a strategy to increase the cybersecurity of the Administration;
						(C)a detailed account of any information technology component or system of the Administration that was
			 manufactured by a company located in the People's Republic of China; and
						(D)an account of any major incident that occurred at the Administration during
			 the 2-year period preceding the date on which the report is submitted, and
			 any action taken by the Administration to respond to or remediate the
			 major incident.
						(3)Additional reportsIf the Administration  determines that there is a reasonable basis to conclude that a major
			 incident occurred at the Administration, the Administration
			 shall—
						(A)not later than 7 days after the date on which the Administration makes that determination, notify
			 the appropriate congressional committees of the major incident; and
						(B)not later than 30 days after the date on which the Administration makes that determination, submit
			 to the appropriate congressional committees a report that includes—
							(i)a summary of information about the major incident, including how the major incident occurred, based
			 on information available
			 to the Administration as of the date which the Administration submits the
			 report;
							(ii)an estimate of the number of individuals and small entities affected by the major incident,
			 including an assessment of the risk of harm to affected
			 individuals and small entities based on information available to the 
			 Administration as of the date on which the Administration submits the
			 report; and
							(iii)an estimate of when the Administration will provide notice to affected individuals and small
			 entities.
							(4)Rule of constructionNothing in this subsection shall be construed to affect the reporting requirements of the
			 Administration under chapter 35 of title 44 United States Code, in
			 particular the requirement to notify the Federal information security
			 incident center under section 3554(b)(7)(C)(ii) of such title, or any
			 other provision of law..April 1, 2019Reported with an amendment