[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2740 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                S. 2740

To help small businesses prepare for and combat cybersecurity threats, 
                        and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           September 7, 2023

Mr. Risch (for himself, Mrs. Shaheen, Mr. Crapo, and Ms. Cortez Masto) 
introduced the following bill; which was read twice and referred to the 
            Committee on Small Business and Entrepreneurship

_______________________________________________________________________

                                 A BILL


 
To help small businesses prepare for and combat cybersecurity threats, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Small Business Cyber Resiliency 
Act''.

SEC. 2. SMALL BUSINESS CYBERSECURITY.

    (a) In General.--The Small Business Act (15 U.S.C. 631 et seq.) is 
amended--
            (1) by redesignating section 49 (15 U.S.C. 631 note) as 
        section 52; and
            (2) by inserting after section 48 (15 U.S.C. 657u) the 
        following:

``SEC. 49. SMALL BUSINESS CYBERSECURITY.

    ``(a) Definitions.--In this section:
            ``(1) Cybersecurity risk; cyber threat indicator; defensive 
        measure; incident.--The terms `cybersecurity risk', `cyber 
        threat indicator', `defense measure', and `incident' have the 
        meanings given those terms in section 2200 of the Homeland 
        Security Act of 2002 (6 U.S.C. 650).
            ``(2) Resource partner.--The term `resource partner' 
        means--
                    ``(A) a small business development center;
                    ``(B) a women's business center described in 
                section 29; and
                    ``(C) a chapter of the Service Corps of Retired 
                Executives described in section 8(a)(1)(A).
    ``(b) Interagency Agreement.--The Administration shall enter into 
an interagency agreement with the Cybersecurity and Infrastructure 
Security Agency to collaborate and increase information sharing with 
the Administration to improve cybersecurity resources and defenses for 
small business concerns, including cybersecurity products tailored to 
the needs of small business concerns.
    ``(c) Assistance Through Resource Partners.--
            ``(1) In general.--The Department of Homeland Security, and 
        any other Federal agency in coordination with the Department of 
        Homeland Security, shall leverage resource partners to provide 
        assistance to small business concerns with cybersecurity tools, 
        such as the Cyber Security Evaluation Tool and the Cyber 
        Resilience Review, and by disseminating information relating to 
        cybersecurity risks and other homeland security matters to help 
        small business concerns in developing or enhancing 
        cybersecurity infrastructure, awareness of cyber threat 
        indicators, cybersecurity incident response planning, and cyber 
        training programs for employees.
            ``(2) Annual publication.--Not later than 1 year after the 
        date of enactment of the Small Business Cyber Resiliency Act 
        and annually thereafter, the Administrator shall publish on the 
        website of the Administration the number of small business 
        concerns that resource partners assisted in providing 
        assistance described in paragraph (1) during the year covered 
        by the publication.
    ``(d) Central Small Business Cybersecurity Assistance Unit.--
            ``(1) Establishment.--The Administrator, in coordination 
        with the Secretary of Commerce, and in consultation with the 
        Secretary of Homeland Security and the Attorney General, shall 
        establish a central small business cybersecurity assistance 
        unit within the Administration, which shall serve as a central 
        clearinghouse for cybersecurity resources for small business 
        concerns across the Federal Government, such as those developed 
        by the Department of Homeland Security.
            ``(2) Duties.--The central small business cybersecurity 
        assistance unit established under paragraph (1) shall--
                    ``(A) coordinate internal cybersecurity efforts 
                within the Administration to reduce duplication of 
                effort and resources;
                    ``(B) establish and maintain a publicly available 
                website that is a clearinghouse of cybersecurity 
                information for small business concerns, including 
                information on--
                            ``(i) how to find guidance material on best 
                        cyber hygiene practices;
                            ``(ii) where to report cybersecurity 
                        breaches or incidents;
                            ``(iii) how to respond to cybersecurity 
                        breaches or incidents;
                            ``(iv) the cybersecurity efforts of the 
                        Administration;
                            ``(v) how to contact the certified 
                        employees described in section 21(o); and
                            ``(vi) standard incident response 
                        procedures for leading cyber crimes;
                    ``(C) work with the certified employees described 
                in section 21(o) to provide cybersecurity assistance to 
                small business concerns;
                    ``(D) coordinate with the Department of Homeland 
                Security and any other Federal agency as the 
                Administrator determines appropriate to identify and 
                disseminate cybersecurity information and resources to 
                small business concerns in a form that is accessible 
                and actionable by small business concerns;
                    ``(E) redirect small business cybersecurity 
                inquiries, such as reporting of cyber threat indicators 
                and defensive measures, to the appropriate Federal 
                agencies;
                    ``(F) coordinate with the National Institute of 
                Standards and Technology to identify and disseminate 
                information to small business concerns on the most 
                cost-effective methods for implementing elements of the 
                cybersecurity framework of the National Institute of 
                Standards and Technology applicable to improving the 
                cybersecurity posture of small business concerns;
                    ``(G) coordinate with the Department of Defense to 
                identify and disseminate information to small business 
                concerns on satisfying the applicable requirements of 
                the Cybersecurity Maturity Model Certification of the 
                Department of Defense or any other successor 
                cybersecurity requirements as established by the 
                Department of Defense; and
                    ``(H) seek input from the Office of Advocacy of the 
                Administration to identify any policies or procedures 
                adopted by any department, agency, or instrumentality 
                of the Federal Government that will hamper the 
                improvement of the cybersecurity posture of those small 
                business concerns.
            ``(3) Enhanced cybersecurity protections for small 
        businesses.--
                    ``(A) In general.--Notwithstanding any other 
                provision of law, no cause of action shall lie or be 
                maintained in any court against any small business 
                concern, and such action shall be promptly dismissed, 
                if such action is related to or arises out of--
                            ``(i) any activity authorized under this 
                        paragraph or the Cybersecurity Information 
                        Sharing Act of 2015 (6 U.S.C. 1501 et seq.); or
                            ``(ii) any action or inaction in response 
                        to any cyber threat indicator, defensive 
                        measure, or other information shared or 
                        received pursuant to this paragraph or the 
                        Cybersecurity Information Sharing Act of 2015 
                        (6 U.S.C. 1501 et seq.).
                    ``(B) Rule of construction.--Nothing in this 
                paragraph shall be construed to affect the 
                applicability or merits of any defense, motion, or 
                argument in any cause of action in a court brought 
                against an entity that is not a small business concern.
    ``(e) Report.--
            ``(1) In general.--Not later than 1 year after the date of 
        enactment of the Small Business Cyber Resiliency Act, and every 
        year thereafter, the Administrator and the head of each Federal 
        agency that collects or shares information under this section 
        shall submit to the Committee on Small Business and 
        Entrepreneurship of the Senate and the Committee on Small 
        Business of the House of Representatives a joint report on 
        actions taken by the Administration and relevant Federal 
        agencies to protect personally identifiable information, 
        business identifiable information, sensitive financial 
        information, and cybersecurity information received by those 
        Federal agencies as a result of the requirements under this 
        section.
            ``(2) Form.--Each report required under paragraph (1) shall 
        be unclassified, but may include a classified annex.''.
    (b) Prohibition on New Appropriations.--
            (1) In general.--No additional funds are authorized to be 
        appropriated to carry out this section and the amendments made 
        by this section.
            (2) Existing funding.--This section and the amendments made 
        by this section shall be carried out using amounts made 
        available to the Small Business Administration under the 
        heading ``Entrepreneurial Development Programs''.
    (c) Implementation.--Not later than 180 days after the date of 
enactment of this Act, the Administrator of the Small Business 
Administration shall implement this section and the amendments made by 
this section.

SEC. 3. STUDY AND REPORT ON CYBERSECURITY RISKS OF SMALL BUSINESSES.

    (a) Definitions.--In this section:
            (1) Administration.--The term ``Administration'' means the 
        Small Business Administration.
            (2) Appropriate committees of congress.--The term 
        ``appropriate committees of Congress'' means--
                    (A) the Committee on Small Business and 
                Entrepreneurship of the Senate;
                    (B) the Committee on Homeland Security and 
                Governmental Affairs of the Senate;
                    (C) the Committee on Small Business of the House of 
                Representatives; and
                    (D) the Committee on Homeland Security of the House 
                of Representatives.
            (3) Cybersecurity risk.--The term ``cybersecurity risk'' 
        has the meaning given the term in section 2200 of the Homeland 
        Security Act of 2002 (6 U.S.C. 650).
            (4) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (5) Rural area.--The term ``rural area'' means any county 
        or other political subdivision of a State, the District of 
        Columbia, or a territory or possession of the United States 
        that is designated as a rural area by the Bureau of the Census.
            (6) Small business concern.--The term ``small business 
        concern'' has the meaning given the term in section 3 of the 
        Small Business Act (15 U.S.C. 632).
    (b) Study and Report.--Not later than 1 year after the date of 
enactment of this Act, the Chief Counsel for Advocacy of the 
Administration and the Comptroller General of the United States shall--
            (1) conduct a joint study assessing the impact of small 
        business concerns turning to online marketplaces as a result of 
        shutdowns imposed by the COVID-19 pandemic, specifically in 
        regards to the cybersecurity of those small business concerns; 
        and
            (2) submit to the appropriate committees of Congress and 
        make publicly available a report on--
                    (A) how identified cybersecurity risks specifically 
                impact small business concerns that established an 
                online presence during the period beginning on February 
                1, 2020, and ending on December 31, 2021;
                    (B) the challenges that the small business concerns 
                described in subparagraph (A) face in--
                            (i) securing updated information systems;
                            (ii) implementing cybersecurity protocols; 
                        and
                            (iii) responding to data breaches or cyber 
                        attacks;
                    (C) the Federal resources that the small business 
                concerns described in subparagraph (A) used in 
                establishing the online presence described in that 
                paragraph;
                    (D) as of the date of the report, the cybersecurity 
                status of the small business concerns described in 
                subparagraph (A) based on a representative sample of 
                those small business concerns;
                    (E) how the Department of Homeland Security and the 
                Administration can improve their existing partnership 
                to better train small business concerns regarding 
                cybersecurity threats; and
                    (F) as of the date of the report--
                            (i) the frequency of each type of cyber 
                        attack suffered by small business concerns 
                        described in subparagraph (A); and
                            (ii) an estimated average cost to those 
                        small business concerns of each type of cyber 
                        attack.
                                 <all>