[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2483 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 573
117th CONGRESS
  2d Session
                                S. 2483

                          [Report No. 117-217]

    To require the Director of the Cybersecurity and Infrastructure 
     Security Agency to establish cybersecurity guidance for small 
                 organizations, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 27, 2021

    Ms. Rosen (for herself, Mr. Cornyn, Mr. Ossoff, and Ms. Hassan) 
introduced the following bill; which was read twice and referred to the 
        Committee on Homeland Security and Governmental Affairs

                            December 5, 2022

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
    To require the Director of the Cybersecurity and Infrastructure 
     Security Agency to establish cybersecurity guidance for small 
                 organizations, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Improving Cybersecurity of 
Small Organizations Act of 2021''.</DELETED>

<DELETED>SEC. 2. IMPROVING CYBERSECURITY OF SMALL 
              ORGANIZATIONS.</DELETED>

<DELETED>    (a) Definitions.--In this section:</DELETED>
        <DELETED>    (1) Administration.--The term ``Administration'' 
        means the Small Business Administration.</DELETED>
        <DELETED>    (2) Administrator.--The term ``Administrator'' 
        means the Administrator of the Administration.</DELETED>
        <DELETED>    (3) Commission.--The term ``Commission'' means the 
        Federal Trade Commission.</DELETED>
        <DELETED>    (4) Connected device.--The term ``connected 
        device'' means any electronic equipment that is--</DELETED>
                <DELETED>    (A) primarily designed for or marketed to 
                consumers;</DELETED>
                <DELETED>    (B) capable of connecting to the internet 
                or another communication network; and</DELETED>
                <DELETED>    (C) capable of sending, receiving, or 
                processing personal information.</DELETED>
        <DELETED>    (5) Cybersecurity guidance.--The term 
        ``cybersecurity guidance'' means the cybersecurity guidance 
        maintained and promoted under subsections (b) and (c), 
        respectively.</DELETED>
        <DELETED>    (6) Director.--The term ``Director'' means the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency.</DELETED>
        <DELETED>    (7) NIST.--The term ``NIST'' means the National 
        Institute of Standards and Technology.</DELETED>
        <DELETED>    (8) Secretary.--The term ``Secretary'' means the 
        Secretary of Commerce.</DELETED>
        <DELETED>    (9) Small business.--The term ``small business'' 
        has the meaning given the term ``small business concern'' in 
        section 3 of the Small Business Act (15 U.S.C. 632).</DELETED>
        <DELETED>    (10) Small governmental jurisdiction.--The term 
        ``small governmental jurisdiction'' has the meaning given the 
        term in section 601 of title 5, United States Code.</DELETED>
        <DELETED>    (11) Small nonprofit.--The term ``small 
        nonprofit'' has the meaning given the term ``small 
        organization'' in section 601 of title 5, United States 
        Code.</DELETED>
        <DELETED>    (12) Small organization.--The term ``small 
        organization'' means an organization that is unlikely to employ 
        a specialist in cybersecurity, including--</DELETED>
                <DELETED>    (A) a small business;</DELETED>
                <DELETED>    (B) a small nonprofit; and</DELETED>
                <DELETED>    (C) a small governmental 
                jurisdiction.</DELETED>
<DELETED>    (b) Cybersecurity Guidance.--</DELETED>
        <DELETED>    (1) In general.--The Director shall maintain 
        cybersecurity guidance that documents and promotes evidence-
        based cybersecurity policies and controls for use by small 
        organizations, which shall--</DELETED>
                <DELETED>    (A) include simple, basic controls that 
                have the most impact in protecting small organizations 
                against common cybersecurity threats and 
                risks;</DELETED>
                <DELETED>    (B) include guidance to address common 
                cybersecurity threats and risks posed by connected 
                devices that are personal to the employees and 
                contractors of small organizations, as well as 
                connected devices that are issued to those employees 
                and contractors by small organizations; and</DELETED>
                <DELETED>    (C) recommend--</DELETED>
                        <DELETED>    (i) measures to improve the 
                        cybersecurity of small organizations; 
                        and</DELETED>
                        <DELETED>    (ii) configurations and settings 
                        for some of the most commonly used software 
                        that can improve the cybersecurity of small 
                        organizations.</DELETED>
        <DELETED>    (2) Consistency.--The Director shall ensure the 
        cybersecurity guidance maintained under paragraph (1) is 
        consistent with--</DELETED>
                <DELETED>    (A) cybersecurity resources developed by 
                NIST, as required by the NIST Small Business 
                Cybersecurity Act (Public Law 115-236); and</DELETED>
                <DELETED>    (B) the most recent version of the 
                Cybersecurity Framework, or successor resource, 
                maintained by NIST.</DELETED>
        <DELETED>    (3) Guidance for specific types of small 
        organizations.--The Director may include cybersecurity 
        guidance, as required under paragraph (1), appropriate for 
        specific types of small organizations in addition to guidance 
        applicable for all small organizations.</DELETED>
        <DELETED>    (4) Updates.--</DELETED>
                <DELETED>    (A) In general.--The Director shall review 
                the cybersecurity guidance maintained under paragraph 
                (1) not less frequently than annually and update the 
                cybersecurity guidance as appropriate.</DELETED>
                <DELETED>    (B) Consultation.--In updating the 
                cybersecurity guidance under subparagraph (A), the 
                Director shall, to the degree practicable and as 
                appropriate, consult with--</DELETED>
                        <DELETED>    (i) the Administrator, the 
                        Secretary, and the Commission;</DELETED>
                        <DELETED>    (ii) small organizations, 
                        insurers, State governments, companies that 
                        work with small organizations, and academic and 
                        Federal and non-Federal experts in 
                        cybersecurity; and</DELETED>
                        <DELETED>    (iii) any other entity as 
                        determined by the Director.</DELETED>
        <DELETED>    (5) User interface.--As appropriate, the Director 
        shall consult with experts regarding the design of a user 
        interface for the cybersecurity guidance.</DELETED>
<DELETED>    (c) Promotion of Cybersecurity Guidance for Small 
Businesses.--</DELETED>
        <DELETED>    (1) Public availability.--The cybersecurity 
        guidance maintained under subsection (b)(1) shall be--
        </DELETED>
                <DELETED>    (A) made available, prominently and free 
                of charge, on the public website of the Cybersecurity 
                Infrastructure Security Agency; and</DELETED>
                <DELETED>    (B) linked to from relevant portions of 
                the websites of the Administration and the Minority 
                Business Development Agency.</DELETED>
        <DELETED>    (2) Promotion generally.--The Director, the 
        Administrator, and the Secretary shall, to the degree 
        practicable, promote the cybersecurity guidance through 
        relevant resources that are intended for or known to be 
        regularly used by small organizations, including agency 
        documents, websites, and events.</DELETED>
<DELETED>    (d) Report on Incentivizing Cybersecurity for Small 
Organizations.--</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act, the Secretary shall submit to 
        Congress a report describing methods to incentivize small 
        organizations to improve their cybersecurity, including through 
        the adoption of policies, controls, products and services that 
        have been demonstrated to reduce cybersecurity risk.</DELETED>
        <DELETED>    (2) Matters to be included.--The report required 
        under paragraph (1) shall--</DELETED>
                <DELETED>    (A) identify barriers or challenges for 
                small organizations in purchasing or acquiring products 
                and services that promote the cybersecurity;</DELETED>
                <DELETED>    (B) assess market availability, market 
                pricing, and affordability of products and services 
                that promote the cybersecurity for small organizations, 
                with particular attention to identifying high-risk and 
                underserved sectors or regions;</DELETED>
                <DELETED>    (C) estimate the cost of tax breaks, 
                grants, subsidies, or other incentives to increase the 
                adoption of policies and controls or acquisition of 
                products and services that promote the cybersecurity of 
                small organizations;</DELETED>
                <DELETED>    (D) as practicable, consult the 
                certifications and requirement for cloud services 
                described in the final report of the Cyberspace 
                Solarium Commission established under section 1652 of 
                the John S. McCain National Defense Authorization Act 
                for Fiscal Year 2019 (Public Law 115-232; 132 Stat. 
                2140);</DELETED>
                <DELETED>    (E) describe evidence-based cybersecurity 
                controls and policies that improve cybersecurity for 
                small organizations;</DELETED>
                <DELETED>    (F) with respect to the incentives 
                described in subparagraph (C), recommend measures that 
                can effectively improve cybersecurity at scale for 
                small organizations; and</DELETED>
                <DELETED>    (G) include any other matters as the 
                Secretary determines relevant.</DELETED>
        <DELETED>    (3) Guidance for specific types of small 
        organizations.--In preparing the report required under 
        paragraph (1), the Secretary may include matters applicable for 
        specific types of small organizations in addition to matters 
        applicable to all small organizations.</DELETED>
        <DELETED>    (4) Consultation.--In preparing the report 
        required under paragraph (1), the Secretary shall consult 
        with--</DELETED>
                <DELETED>    (A) the Administrator, the Director, and 
                the Commission; and</DELETED>
                <DELETED>    (B) small organizations, insurers of risks 
                related to cybersecurity, State governments, 
                cybersecurity and information technology companies that 
                work with small organizations, and academic and Federal 
                and non-Federal experts in cybersecurity.</DELETED>
<DELETED>    (e) Periodic Census on State of Cybersecurity of Small 
Businesses.--</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act and not less frequently than 
        every 24 months thereafter for not more than 10 years, the 
        Administrator shall submit to Congress and make publicly 
        available data on the state of cybersecurity of small 
        businesses, including--</DELETED>
                <DELETED>    (A) adoption of the cybersecurity guidance 
                among small businesses;</DELETED>
                <DELETED>    (B) the most significant and widespread 
                cybersecurity threats facing small 
                businesses;</DELETED>
                <DELETED>    (C) the amount small businesses spend on 
                cybersecurity products and services; and</DELETED>
                <DELETED>    (D) the personnel small businesses 
                dedicate to cybersecurity (including the amount of 
                total personnel time, whether by employees or 
                contractors, dedicated to cybersecurity 
                efforts).</DELETED>
        <DELETED>    (2) Form.--The report required under paragraph (1) 
        shall be produced in unclassified form but may contain a 
        classified annex.</DELETED>
        <DELETED>    (3) Consultation.--In preparing the report 
        required under paragraph (1), the Administrator shall consult 
        with--</DELETED>
                <DELETED>    (A) the Secretary, the Director, and the 
                Commission; and</DELETED>
                <DELETED>    (B) small businesses, insurers of risks 
                related to cybersecurity, cybersecurity and information 
                technology companies that work with small businesses, 
                and academic and Federal and non-Federal experts in 
                cybersecurity.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Improving Cybersecurity of Small 
Businesses, Nonprofits, and Local Governments Act of 2021''.

SEC. 2. IMPROVING CYBERSECURITY OF SMALL ENTITIES.

    (a) Definitions.--In this section:
            (1) Administrator.--The term ``Administrator'' means the 
        Administrator of the Small Business Administration.
            (2) Annual cybersecurity report; small business; small 
        entity; small governmental jurisdiction; small organization.--
        The terms ``annual cybersecurity report'', ``small business'', 
        ``small entity'', ``small governmental jurisdiction'', and 
        ``small organization'' have the meanings given those terms in 
        section 2220D of the Homeland Security Act of 2002, as added by 
        subsection (b).
            (3) CISA.--The term ``CISA'' means the Cybersecurity and 
        Infrastructure Security Agency.
            (4) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (5) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.
    (b) Annual Report.--
            (1) Amendment.--Subtitle A of title XXII of the Homeland 
        Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
        adding at the end the following:

``SEC. 2220D. ANNUAL CYBERSECURITY REPORT FOR SMALL ENTITIES.

    ``(a) Definitions.--
            ``(1) Administration.--The term `Administration' means the 
        Small Business Administration.
            ``(2) Administrator.--The term `Administrator' means the 
        Administrator of the Administration.
            ``(3) Annual cybersecurity report.--The term `annual 
        cybersecurity report' means the annual cybersecurity report 
        published and promoted under subsections (b) and (c), 
        respectively.
            ``(4) Commission.--The term `Commission' means the Federal 
        Trade Commission.
            ``(5) Electronic device.--The term `electronic device' 
        means any electronic equipment that is--
                    ``(A) used by an employee or contractor of a small 
                entity for the purpose of performing work for the small 
                entity;
                    ``(B) capable of connecting to the internet or 
                another communication network; and
                    ``(C) capable of sending, receiving, or processing 
                personal information.
            ``(6) NIST.--The term `NIST' means the National Institute 
        of Standards and Technology.
            ``(7) Small business.--The term `small business' has the 
        meaning given the term `small business concern' in section 3 of 
        the Small Business Act (15 U.S.C. 632).
            ``(8) Small entity.--The term `small entity' means--
                    ``(A) a small business;
                    ``(B) a small governmental jurisdiction; and
                    ``(C) a small organization.
            ``(9) Small governmental jurisdiction.--The term `small 
        governmental jurisdiction' means governments of cities, 
        counties, towns, townships, villages, school districts, or 
        special districts with a population of less than 50,000.
            ``(10) Small organization.--The term `small organization' 
        means any not-for-profit enterprise that is independently owned 
        and operated and is not dominant in its field.
    ``(b) Annual Cybersecurity Report.--
            ``(1) In general.--Not later than 180 days after the date 
        of enactment of this section, and not less frequently than 
        annually thereafter, the Director shall publish a report for 
        small entities that documents and promotes evidence-based 
        cybersecurity policies and controls for use by small entities, 
        which shall--
                    ``(A) include basic controls that have the most 
                impact in protecting small entities against common 
                cybersecurity threats and risks;
                    ``(B) include protocols and policies to address 
                common cybersecurity threats and risks posed by 
                electronic devices, regardless of whether the 
                electronic devices are--
                            ``(i) issued by the small entity to 
                        employees and contractors of the small entity; 
                        or
                            ``(ii) personal to the employees and 
                        contractors of the small entity; and
                    ``(C) recommend, as practicable--
                            ``(i) measures to improve the cybersecurity 
                        of small entities; and
                            ``(ii) configurations and settings for some 
                        of the most commonly used software that can 
                        improve the cybersecurity of small entities.
            ``(2) Existing recommendations.--The Director shall ensure 
        that each annual cybersecurity report published under paragraph 
        (1) incorporates--
                    ``(A) cybersecurity resources developed by NIST, as 
                required by the NIST Small Business Cybersecurity Act 
                (Public Law 115-236; 132 Stat. 2444); and
                    ``(B) the most recent version of the Cybersecurity 
                Framework, or a successor resource, maintained by NIST.
            ``(3) Consideration for specific types of small entities.--
        The Director may include and prioritize the development of 
        cybersecurity recommendations, as required under paragraph (1), 
        appropriate for specific types of small entities in addition to 
        recommendations applicable for all small entities.
            ``(4) Consultation.--In publishing the annual cybersecurity 
        report under paragraph (1), the Director shall, to the degree 
        practicable and as appropriate, consult with--
                    ``(A) the Administrator, the Secretary of Commerce, 
                the Commission, and the Director of NIST;
                    ``(B) small entities, insurers, State governments, 
                companies that work with small entities, and academic 
                and Federal and non-Federal experts in cybersecurity; 
                and
                    ``(C) any other entity as determined appropriate by 
                the Director.
    ``(c) Promotion of Annual Cybersecurity Report for Small 
Businesses.--
            ``(1) Publication.--The annual cybersecurity report, and 
        previous versions of the report as appropriate, published under 
        subsection (b)(1) shall be--
                    ``(A) made available, prominently and free of 
                charge, on the public website of the Agency; and
                    ``(B) linked to from relevant portions of the 
                websites of the Administration and the Minority 
                Business Development Agency, as determined by the 
                Administrator and the Director of the Minority Business 
                Development Agency, respectively.
            ``(2) Promotion generally.--The Director, the 
        Administrator, and the Secretary of Commerce shall, to the 
        degree practicable, promote the annual cybersecurity report 
        through relevant resources that are intended for or known to be 
        regularly used by small entities, including agency documents, 
        websites, and events.
    ``(d) Training and Technical Assistance.--The Director, the 
Administrator, and the Director of the Minority Business Development 
Agency shall make available to employees of small entities voluntary 
training and technical assistance on how to implement the 
recommendations of the annual cybersecurity report.''.
            (2) Technical and conforming amendment.--The table of 
        contents in section 1(b) of the Homeland Security Act of 2002 
        (Public 107-296; 116 Stat. 2135) is amended by inserting after 
        the item relating to section 2220C the following:

``Sec. 2220D. Annual cybersecurity report for small entities.''.
    (c) Report to Congress.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, and annually thereafter for 10 years, 
        the Secretary shall submit to Congress a report describing 
        methods to improve the cybersecurity of small entities, 
        including through the adoption of policies, controls, and 
        classes of products and services that have been demonstrated to 
        reduce cybersecurity risk.
            (2) Matters to be included.--The report required under 
        paragraph (1) shall--
                    (A) identify barriers or challenges for small 
                entities in purchasing or acquiring classes of products 
                and services that promote the cybersecurity of small 
                entities;
                    (B) assess market availability, market pricing, and 
                affordability of classes of products and services that 
                promote the cybersecurity of small entities, with 
                particular attention to identifying high-risk and 
                underserved sectors or regions;
                    (C) estimate the costs and benefits of policies 
                that promote the cybersecurity of small entities, 
                including--
                            (i) tax breaks;
                            (ii) grants and subsidies; and
                            (iii) other incentives as determined 
                        appropriate by the Secretary;
                    (D) describe evidence-based cybersecurity controls 
                and policies that improve the cybersecurity of small 
                entities;
                    (E) with respect to the incentives described in 
                subparagraph (C), recommend measures that can 
                effectively improve cybersecurity at scale for small 
                entities; and
                    (F) include any other matters as the Secretary 
                determines relevant.
            (3) Specific sectors of small entities.--In preparing the 
        report required under paragraph (1), the Secretary may include 
        matters applicable for specific sectors of small entities in 
        addition to matters applicable to all small entities.
            (4) Consultation.--In preparing the report required under 
        paragraph (1), the Secretary shall consult with--
                    (A) the Administrator, the Director of CISA, and 
                the Commission; and
                    (B) small entities, insurers of risks related to 
                cybersecurity, State governments, cybersecurity and 
                information technology companies that work with small 
                entities, and academic and Federal and non-Federal 
                experts in cybersecurity.
    (d) Periodic Census on State of Cybersecurity of Small 
Businesses.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, and not less frequently than every 24 
        months thereafter for 10 years, the Administrator shall submit 
        to Congress and make publicly available data on the state of 
        cybersecurity of small businesses, including, to the extent 
        practicable--
                    (A) adoption of the cybersecurity recommendations 
                from the annual cybersecurity report among small 
                businesses;
                    (B) the most significant and widespread 
                cybersecurity threats facing small businesses;
                    (C) the amount small businesses spend on 
                cybersecurity products and services; and
                    (D) the personnel small businesses dedicate to 
                cybersecurity, including the amount of total personnel 
                time, whether by employees or contractors, dedicated to 
                cybersecurity efforts.
            (2) Voluntary participation.--In carrying out paragraph 
        (1), the Administrator shall collect data from small businesses 
        that participate on a voluntary basis.
            (3) Form.--The data required under paragraph (1) shall be 
        produced in unclassified form but may contain a classified 
        annex.
            (4) Consultation.--In preparing to collect the data 
        required under paragraph (1), the Administrator shall consult 
        with--
                    (A) the Secretary, the Director of CISA, and the 
                Commission; and
                    (B) small businesses, insurers of risks related to 
                cybersecurity, cybersecurity and information technology 
                companies that work with small businesses, and academic 
                and Federal and non-Federal experts in cybersecurity.
            (5) Privacy.--In carrying out this subsection, the 
        Administrator shall ensure that any publicly available data is 
        anonymized and does not reveal personally identifiable 
        information.
    (e) Rule of Construction.--Nothing in this section or the 
amendments made by this section shall be construed to provide any 
additional regulatory authority to CISA.
                                                       Calendar No. 573

117th CONGRESS

  2d Session

                                S. 2483

                          [Report No. 117-217]

_______________________________________________________________________

                                 A BILL

    To require the Director of the Cybersecurity and Infrastructure 
     Security Agency to establish cybersecurity guidance for small 
                 organizations, and for other purposes.

_______________________________________________________________________

                            December 5, 2022

                       Reported with an amendment