[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4513 Introduced in House (IH)]

<DOC>






117th CONGRESS
  1st Session
                                H. R. 4513

To amend the Small Business Act to provide for the establishment of an 
enhanced cybersecurity assistance and protections for small businesses, 
                        and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 19, 2021

Mr. Donalds (for himself, Ms. Velazquez, Mr. Chabot, and Ms. Houlahan) 
 introduced the following bill; which was referred to the Committee on 
                             Small Business

_______________________________________________________________________

                                 A BILL


 
To amend the Small Business Act to provide for the establishment of an 
enhanced cybersecurity assistance and protections for small businesses, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Small Business Advanced 
Cybersecurity Enhancements Act of 2021''.

SEC. 2. ENHANCED CYBERSECURITY ASSISTANCE AND PROTECTIONS FOR SMALL 
              BUSINESSES.

    Section 21(a) of the Small Business Act (15 U.S.C. 648(a)) is 
amended by adding at the end the following new paragraph:
            ``(9) Small business cybersecurity assistance and 
        protections.--
                    ``(A) Establishment of small business cybersecurity 
                assistance units.--The Administrator of the Small 
                Business Administration, in coordination with the 
                Secretary of Commerce, and in consultation with the 
                Secretary of Homeland Security and the Attorney 
                General, shall establish--
                            ``(i) in the Administration, a central 
                        small business cybersecurity assistance unit; 
                        and
                            ``(ii) within each small business 
                        development center, a regional small business 
                        cybersecurity assistance unit.
                    ``(B) Duties of the central small business 
                cybersecurity assistance unit.--
                            ``(i) In general.--The central small 
                        business cybersecurity assistance unit 
                        established under subparagraph (A)(i) shall 
                        serve as the primary interface for small 
                        business concerns to receive and share cyber 
                        threat indicators and defensive measures with 
                        the Federal Government.
                            ``(ii) Use of capability and processes.--
                        The central small business cybersecurity 
                        assistance unit shall use the capability and 
                        process certified pursuant to section 
                        105(c)(2)(A) of the Cybersecurity Information 
                        Sharing Act of 2015 (6 U.S.C. 1504(c)(2)(A)) to 
                        receive cyber threat indicators or defensive 
                        measures from small business concerns.
                            ``(iii) Application of cisa.--A small 
                        business concern that receives or shares cyber 
                        threat indicators and defensive measures with 
                        the Federal Government through the central 
                        small business cybersecurity assistance unit 
                        established under subparagraph (A)(i), or with 
                        any appropriate entity pursuant to section 
                        103(c) of the Cybersecurity Information Sharing 
                        Act of 2015 (6 U.S.C. 1503(c)), shall receive 
                        the protections and exemptions provided in such 
                        Act and this paragraph.
                    ``(C) Relation to nccic.--
                            ``(i) Central small business cybersecurity 
                        assistance unit.--The central small business 
                        cybersecurity assistance unit established under 
                        subparagraph (A)(i) shall be collocated with 
                        the national cybersecurity and communications 
                        integration center.
                            ``(ii) Access to information.--The national 
                        cybersecurity and communications integration 
                        center shall have access to all cyber threat 
                        indicators or defensive measures shared with 
                        the central small cybersecurity assistance unit 
                        established under subparagraph (A)(i) through 
                        the use of the capability and process described 
                        in subparagraph (B)(ii).
                    ``(D) Cybersecurity assistance for small 
                businesses.--The central small business cybersecurity 
                assistance unit established under subparagraph (A)(i) 
                shall--
                            ``(i) work with each regional small 
                        business cybersecurity assistance unit 
                        established under subparagraph (A)(ii) to 
                        provide cybersecurity assistance to small 
                        business concerns;
                            ``(ii) leverage resources from the 
                        Administration, the Department of Commerce, the 
                        Department of Homeland Security, the Department 
                        of Justice, the Department of the Treasury, the 
                        Department of State, and any other Federal 
                        department or agency the Administrator 
                        determines appropriate, in order to help 
                        improve the cybersecurity posture of small 
                        business concerns;
                            ``(iii) coordinate with the Department of 
                        Homeland Security to identify and disseminate 
                        information to small business concerns in a 
                        form that is accessible and actionable by small 
                        business concerns;
                            ``(iv) coordinate with the National 
                        Institute of Standards and Technology to 
                        identify and disseminate information to small 
                        business concerns on the most cost-effective 
                        methods for implementing elements of the 
                        cybersecurity framework of the National 
                        Institute of Standards and Technology 
                        applicable to improving the cybersecurity 
                        posture of small business concerns;
                            ``(v) seek input from the Office of 
                        Advocacy of the Administration to ensure that 
                        any policies or procedures adopted by any 
                        department, agency, or instrumentality of the 
                        Federal Government do not unduly add regulatory 
                        burdens to small business concerns in a manner 
                        that will hamper the improvement of the 
                        cybersecurity posture of such small business 
                        concerns; and
                            ``(vi) leverage resources and relationships 
                        with representatives and entities involved in 
                        the national cybersecurity and communications 
                        integration center to publicize the capacity of 
                        the Federal Government to assist small business 
                        concerns in improving cybersecurity practices.
                    ``(E) Enhanced cybersecurity protections for small 
                businesses.--
                            ``(i) In general.--Notwithstanding any 
                        other provision of law, no cause of action 
                        shall lie or be maintained in any court against 
                        any small business concern, and such action 
                        shall be promptly dismissed, if such action is 
                        related to or arises out of--
                                    ``(I) any activity authorized under 
                                this paragraph or the Cybersecurity 
                                Information Sharing Act of 2015 (6 
                                U.S.C. 1501 et seq.); or
                                    ``(II) any action or inaction in 
                                response to any cyber threat indicator, 
                                defensive measure, or other information 
                                shared or received pursuant to this 
                                paragraph or the Cybersecurity 
                                Information Sharing Act of 2015 (6 
                                U.S.C. 1501 et seq.).
                            ``(ii) Application.--The exception provided 
                        in section 105(d)(5)(D)(ii)(I) of the 
                        Cybersecurity Information Sharing Act of 2015 
                        (6 U.S.C. 1504(d)(5)(D)(ii)(I)) shall not apply 
                        to any cyber threat indicator or defensive 
                        measure shared or received by small business 
                        concerns pursuant to this paragraph or the 
                        Cybersecurity Information Sharing Act of 2015 
                        (6 U.S.C. 1501 et seq.).
                            ``(iii) Rule of construction.--Nothing in 
                        this subparagraph shall be construed to affect 
                        the applicability or merits of any defense, 
                        motion, or argument in any cause of action in a 
                        court brought against an entity that is not a 
                        small business concern.
                    ``(F) Definitions.--In this paragraph:
                            ``(i) CISA definitions.--The terms `cyber 
                        threat indicator' and `defensive measure' have 
                        the meanings given such terms, respectively, in 
                        section 102 of the Cybersecurity Information 
                        Sharing Act of 2015 (6 U.S.C. 1501).
                            ``(ii) National cybersecurity and 
                        communications integration center.--The term 
                        `national cybersecurity and communications 
                        integration center' means the national 
                        cybersecurity and communications integration 
                        center established under section 227 of the 
                        Homeland Security Act of 2002 (6 U.S.C. 
                        148).''.

SEC. 3. PROHIBITION ON NEW APPROPRIATIONS.

    (a) In General.--No additional funds are authorized to be 
appropriated to carry out this Act and the amendments made by this Act.
    (b) Existing Funding.--This Act and the amendments made by this Act 
shall be carried out using amounts made available under section 
21(a)(4)(C)(viii) of the Small Business Act (15 U.S.C. 
648(a)(4)(viii)).
    (c) Technical and Conforming Amendment.--Section 21(a)(4)(C)(viii) 
of the Small Business Act (15 U.S.C.648(a)(4)(C)(viii)) is amended to 
read as follows:
                            ``(viii) Limitation.--
                                    ``(I) Cybersecurity assistance.--
                                From the funds appropriated pursuant to 
                                clause (vii), the Administration shall 
                                reserve not less than $1,000,000 in 
                                each fiscal year to develop 
                                cybersecurity assistance units at small 
                                business development centers under 
                                paragraph (9).
                                    ``(II) Portable assistance.--
                                            ``(aa) In general.--Any 
                                        funds appropriated pursuant to 
                                        clause (vii) that are remaining 
                                        after reserving amounts under 
                                        subclause (I) may be used for 
                                        portable assistance for startup 
                                        and sustainability non-matching 
                                        grant programs to be conducted 
                                        by eligible small business 
                                        development centers in 
                                        communities that are 
                                        economically challenged as a 
                                        result of a business or 
                                        government facility down sizing 
                                        or closing, which has resulted 
                                        in the loss of jobs or small 
                                        business instability.
                                            ``(bb) Grant amount and 
                                        use.--A non-matching grant 
                                        under this subclause shall not 
                                        exceed $100,000, and shall be 
                                        used for small business 
                                        development center personnel 
                                        expenses and related small 
                                        business programs and 
                                        services.''.
                                 <all>