[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3462 Referred in Senate (RFS)]

<DOC>
117th CONGRESS
  1st Session
                                H. R. 3462


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            November 3, 2021

  Received; read twice and referred to the Committee on Small Business 
                          and Entrepreneurship

_______________________________________________________________________

                                 AN ACT


 
To require an annual report on the cybersecurity of the Small Business 
                Administration, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``SBA Cyber Awareness Act''.

SEC. 2. CYBERSECURITY AWARENESS REPORTING.

    Section 10 of the Small Business Act (15 U.S.C. 639) is amended by 
inserting after subsection (a) the following:
    ``(b) Cybersecurity Reports.--
            ``(1) Annual report.--Not later than 180 days after the 
        date of enactment of this subsection, and every year 
        thereafter, the Administrator shall submit a report to the 
        appropriate congressional committees that includes--
                    ``(A) an assessment of the information technology 
                (as defined in section 11101 of title 40, United States 
                Code) and cybersecurity infrastructure of the 
                Administration;
                    ``(B) a strategy to increase the cybersecurity 
                infrastructure of the Administration;
                    ``(C) a detailed account of any information 
                technology equipment or interconnected system or 
                subsystem of equipment of the Administration that was 
                manufactured by an entity that has its principal place 
                of business located in the People's Republic of China; 
                and
                    ``(D) an account of any cybersecurity risk or 
                incident that occurred at the Administration during the 
                2-year period preceding the date on which the report is 
                submitted, and any action taken by the Administrator to 
                respond to or remediate any such cybersecurity risk or 
                incident.
            ``(2) Additional reports.--If the Administrator determines 
        that there is a reasonable basis to conclude that a 
        cybersecurity risk or incident occurred at the Administration, 
        the Administrator shall--
                    ``(A) not later than 7 days after the date on which 
                the Administrator makes that determination, notify the 
                appropriate congressional committees of the 
                cybersecurity risk or incident; and
                    ``(B) not later than 30 days after the date on 
                which the Administrator makes a determination under 
                subparagraph (A)--
                            ``(i) provide notice to individuals and 
                        small business concerns affected by the 
                        cybersecurity risk or incident; and
                            ``(ii) submit to the appropriate 
                        congressional committees a report, based on 
                        information available to the Administrator as 
                        of the date which the Administrator submits the 
                        report, that includes--
                                    ``(I) a summary of information 
                                about the cybersecurity risk or 
                                incident, including how the 
                                cybersecurity risk or incident 
                                occurred; and
                                    ``(II) an estimate of the number of 
                                individuals and small business concerns 
                                affected by the cybersecurity risk or 
                                incident, including an assessment of 
                                the risk of harm to affected 
                                individuals and small business 
                                concerns.
            ``(3) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements of the 
        Administrator under chapter 35 of title 44, United States Code, 
        in particular the requirement to notify the Federal information 
        security incident center under section 3554(b)(7)(C)(ii) of 
        such title, or any other provision of law.
            ``(4) Definitions.--In this subsection:
                    ``(A) Appropriate congressional committees.--The 
                term `appropriate congressional committees' means--
                            ``(i) the Committee on Small Business and 
                        Entrepreneurship of the Senate; and
                            ``(ii) the Committee on Small Business of 
                        the House of Representatives.
                    ``(B) Cybersecurity risk; incident.--The terms 
                `cybersecurity risk' and `incident' have the meanings 
                given such terms, respectively, under section 2209(a) 
                of the Homeland Security Act of 2002.''.

            Passed the House of Representatives November 2, 2021.

            Attest:

                                             CHERYL L. JOHNSON,

                                                                 Clerk.