[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3462 Enrolled Bill (ENR)]

        H.R.3462

                    One Hundred Seventeenth Congress

                                 of the

                        United States of America


                          AT THE SECOND SESSION

           Begun and held at the City of Washington on Monday,
          the third day of January, two thousand and twenty-two


                                 An Act


 
 To require an annual report on the cybersecurity of the Small Business 
                 Administration, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
    This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
    (a) In General.--Section 10 of the Small Business Act (15 U.S.C. 
639) is amended by inserting after subsection (a) the following:
    ``(b) Cybersecurity Reports.--
        ``(1) Annual report.--Not later than 180 days after the date of 
    enactment of this subsection, and every year thereafter, the 
    Administrator shall submit a report to the appropriate 
    congressional committees that includes--
            ``(A) a strategy to increase the cybersecurity of 
        information technology infrastructure of the Administration;
            ``(B) a supply chain risk management strategy and an 
        implementation plan to address the risks of foreign 
        manufactured information technology equipment utilized by the 
        Administration, including specific risk mitigation activities 
        for components originating from entities with principal places 
        of business located in the People's Republic of China; and
            ``(C) an account of--
                ``(i) any incident that occurred at the Administration 
            during the 2-year period preceding the date on which the 
            first report is submitted, and, for subsequent reports, the 
            1-year period preceding the date of submission; and
                ``(ii) any action taken by the Administrator to respond 
            to or remediate any such incident.
        ``(2) FISMA reports.--Each report required under paragraph (1) 
    may be submitted as part of the report required under section 3554 
    of title 44, United States Code.
        ``(3) Rule of construction.--Nothing in this subsection shall 
    be construed to affect the reporting requirements of the 
    Administrator under chapter 35 of title 44, United States Code, in 
    particular the requirement to notify the Federal information 
    security incident center under section 3554(b)(7)(C)(ii) of such 
    title, any guidance issued by the Office of Management and Budget, 
    or any other provision of law or Federal policy.
        ``(4) Definitions.--In this subsection:
            ``(A) Appropriate congressional committees.--The term 
        `appropriate congressional committees' means--
                ``(i) the Committee on Small Business and 
            Entrepreneurship of the Senate;
                ``(ii) the Committee on Homeland Security and 
            Governmental Affairs of the Senate;
                ``(iii) the Committee on Small Business of the House of 
            Representatives; and
                ``(iv) the Committee on Oversight and Reform of the 
            House of Representatives.
            ``(B) Incident.--The term `incident' has the meaning given 
        the term in section 3552 of title 44, United States Code.
            ``(C) Information technology.--The term `information 
        technology' has the meaning given the term in section 3502 of 
        title 44, United States Code.''.
    (b) Report.--Not later than 1 year after the date of enactment of 
this Act, the Administrator of the Small Business Administration shall, 
to the greatest extent practicable, provide to the Committee on Small 
Business and Entrepreneurship of the Senate, the Committee on Homeland 
Security and Governmental Affairs of the Senate, the Committee on Small 
Business of the House of Representatives, and the Committee on 
Oversight and Reform of the House of Representatives a detailed account 
of information technology (as defined in section 3502 of title 44, 
United States Code) of the Small Business Administration that was 
manufactured by an entity that has its principal place of business 
located in the People's Republic of China.

                               Speaker of the House of Representatives.

                            Vice President of the United States and    
                                               President of the Senate.