[Congressional Record Volume 165, Number 118 (Monday, July 15, 2019)]
[House]
[Pages H5807-H5809]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
SBA CYBER AWARENESS ACT
Mr. DELGADO. Mr. Speaker, I move to suspend the rules and pass the
bill (H.R. 2331) to require an annual report on the cybersecurity of
the Small Business Administration, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 2331
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
Section 10 of the Small Business Act (15 U.S.C. 639) is
amended by inserting after subsection (a) the following:
``(b) Cybersecurity Reports.--
``(1) Annual report.--Not later than 180 days after the
date of enactment of this subsection, and every year
thereafter, the Administrator shall submit a report to the
appropriate congressional committees that includes--
``(A) an assessment of the information technology (as
defined in section 11101 of title 40, United States Code) and
cybersecurity infrastructure of the Administration;
``(B) a strategy to increase the cybersecurity
infrastructure of the Administration;
``(C) a detailed account of any information technology
equipment or interconnected system or subsystem of equipment
of the Administration that was manufactured by an entity that
has its principal place of business located in the People's
Republic of China; and
``(D) an account of any cybersecurity risk or incident that
occurred at the Administration during the 2-year period
preceding the date on which the report is submitted, and any
action taken by the Administrator to respond to or remediate
any such cybersecurity risk or incident.
``(2) Additional reports.--If the Administrator determines
that there is a reasonable basis to conclude that a
cybersecurity risk or incident occurred at the
Administration, the Administrator shall--
``(A) not later than 7 days after the date on which the
Administrator makes that determination, notify the
appropriate congressional committees of the cybersecurity
risk or incident; and
``(B) not later than 30 days after the date on which the
Administrator makes a determination under subparagraph (A)--
``(i) provide notice to individuals and small business
concerns affected by the cybersecurity risk or incident; and
``(ii) submit to the appropriate congressional committees a
report, based on information available to the Administrator
as of the date which the Administrator submits the report,
that includes--
``(I) a summary of information about the cybersecurity risk
or incident, including how the cybersecurity risk or incident
occurred; and
``(II) an estimate of the number of individuals and small
business concerns affected by the cybersecurity risk or
incident, including an assessment of the risk of harm to
affected individuals and small business concerns.
``(3) Rule of construction.--Nothing in this subsection
shall be construed to affect the reporting requirements of
the Administrator under chapter 35 of title 44, United States
Code, in particular the requirement to notify the Federal
information security incident center under section
3554(b)(7)(C)(ii) of such title, or any other provision of
law.
``(4) Definitions.--In this subsection:
``(A) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(i) the Committee on Small Business and Entrepreneurship
of the Senate; and
``(ii) the Committee on Small Business of the House of
Representatives.
``(B) Cybersecurity risk; incident.--The terms
`cybersecurity risk' and `incident' have the meanings given
such terms, respectively, under section 2209(a) of the
Homeland Security Act of 2002.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New
York (Mr. Delgado) and the gentleman from Ohio (Mr. Chabot) each will
control 20 minutes.
The Chair recognizes the gentleman from New York.
General Leave
Mr. DELGADO. Mr. Speaker, I ask unanimous consent that all Members
may have 5 legislative days in which to revise and extend their remarks
and include extraneous material on the measure under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from New York?
There was no objection.
Mr. DELGADO. Mr. Speaker, I yield myself such time as I may consume.
I rise in support of H.R. 2331, the SBA Cyber Awareness Act of 2019,
which strengthens the Small Business Administration's cybersecurity
infrastructure to handle and report cyber threats that affect small
businesses.
The Small Business Administration processes a significant amount of
small business data, and protecting these businesses is essential to
its mission. That is why they must protect its precious digital
networks from cyberattacks. But after the massive data breach at the
U.S. Office of Personnel Management, 75 percent of Americans are
doubtful that the government can protect their personal information.
With 28 million small business owners in the U.S. that provide 64
percent of new private-sector jobs, America cannot afford for small
businesses to lose faith in the SBA. Today, we take an important step
to restore American confidence in the SBA's cybersecurity protections
and prevent the harmful results of cyberattacks.
[[Page H5808]]
H.R. 2331 ensures that the SBA has an effective cyber strategy and
requires timely reporting of cyber incidents to Congress and affected
individuals. Through these measures, the SBA will better serve the
American small businesses that support the U.S. economy.
I thank Congressman Crow and Congressman Balderson for working so
diligently to strengthen the agency we oversee and protect the Nation's
small business community that utilizes its services.
I ask my fellow Members to support this bill, and I reserve the
balance of my time.
Mr. CHABOT. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 2331, the SBA Cyber Awareness
Act.
In June 2015, the Office of Personnel Management, or OPM, discovered
that background investigation records of current, former, and
prospective Federal employees and contractors had been stolen from
their system. That data breach affected 21.5 million individuals.
Earlier in 2015, OPM discovered that the personal data of 4.2 million
current and former Federal Government employees had also been stolen.
This is absolutely unacceptable, and we must hold agencies accountable
to secure their networks.
While a much smaller agency, the SBA maintains important and
sensitive data about loan recipients, government contractor
information, and various other forms of personally identifiable
information that hackers covet. That is why I am happy to support Mr.
Crow's and Mr. Balderson's legislation, H.R. 2331, the SBA Cyber
Awareness Act. This legislation mirrors legislation introduced in the
last Congress by Senators Rubio and Cardin.
The bill directs the SBA to issue reports that assess its
cybersecurity infrastructure, including determining the country of
origin of its IT components, and report cyber threats, breaches, and
cyberattacks.
This is a commonsense, bipartisan bill, and I urge my colleagues to
support the measure.
Mr. Speaker, I reserve the balance of my time.
Mr. DELGADO. Mr. Speaker, I yield 5 minutes to the gentleman from
Colorado (Mr. Crow), the sponsor of the bill.
Mr. CROW. Mr. Speaker, I want to thank the gentleman from New York
(Mr. Delgado) for yielding, and I want to thank Chairwoman Velazquez
for prioritizing this critical issue and bringing our bill to the
floor. I also want to thank my friend and colead on H.R. 2331, the
gentleman from Ohio (Mr. Balderson), for his leadership on
cybersecurity and small business issues and this bill in particular. I
value his input and expertise on all of these issues.
Mr. Speaker, I rise in strong support of this bipartisan legislation
I introduced with Ranking Member Balderson, the SBA Cyber Awareness
Act.
The Small Business Administration houses vital information for small
business owners and lenders. We must do everything we can to help the
SBA protect its systems and the data of our Nation's small businesses.
Our bill would require the SBA to be more proactive in protecting its
data and more transparent in the event of a cyber breach.
First, our bill requires the SBA to issue a report detailing its
cybersecurity efforts within 6 months of enactment. This report must
include an assessment of the SBA's existing IT and cybersecurity
infrastructure and its strategy to address vulnerabilities.
Notably, this bill ensures we are protecting ourselves against China
by requiring an audit of any SBA system or IT equipment manufactured by
a company headquartered in China.
The report must detail every cybersecurity risk or incident in the
last 2 years and the SBA's strategy to address them going forward.
Second, our bill provides a framework for the SBA to follow in the
event of future breaches, requiring timely notifications to Congress as
well as the people in the small businesses affected. The bill also
requires the SBA to submit a full report to both committees on how the
cybersecurity risk or incident occurred and how many parties were
affected.
The goal of this bill is to put the SBA and the small businesses that
it interacts with and that depend on it on the best footing possible to
combat the rising threat of cyberattacks.
I am very excited that this bill is up for a vote in the House today
and has such strong bipartisan support.
Mr. Speaker, I urge my colleagues to vote in support of our
bipartisan legislation and thank everyone who had a hand in bringing it
to the floor. It is an exciting day when we can focus on our Nation's
small businesses and cyber infrastructure, and I am hopeful for this
bill's quick consideration by the Senate.
Mr. CHABOT. Mr. Speaker, in closing, I just want to thank Mr.
Balderson and Mr. Crow for working together in a bipartisan manner on
this very important legislation.
I know Mr. Balderson wanted to be here today to speak on this.
Unfortunately, I believe he had some airline issues, but I believe he
will be submitting a statement for the Record.
But again, we appreciate both Mr. Balderson and Mr. Crow's leadership
on this.
{time} 1700
We have seen a large increase in cybersecurity threats against not
only the private sector, but also the public sector. We must remain
vigilant to ensure the public's data does not end up in the wrong
hands.
This bipartisan legislation ensures that the SBA is better equipped
to protect American citizens' data.
Mr. Speaker, I urge my colleagues to support this, and I yield back
the balance of my time.
Mr. DELGADO. Mr. Speaker, the Small Business Administration fuels the
U.S. economy, and through its lending and contracting programs, helps
Americans start, build, and grow small businesses, but in doing so, the
agency is tasked with handling vital information.
As we all know, cyberattacks are very real, and nobody, not even the
Federal Government, is immune.
That is why this piece of legislation, H.R. 2331, is fundamental to
the health of our national cyber infrastructure as it relates to small
firms.
The SBA must protect its digital networks from cyberattacks and
collaborate more with Congress. Modernizing the agency's IT
infrastructure and implementing an effective cyber strategy is the key
component of this bill. Doing so guarantees the SBA can adequately and
effectively defend its digital network.
This bill also requires timely reporting of cyber incidents to
Congress and affected individuals in the unfortunate event of a breach.
The sharing of this information allows us to collaborate with the SBA
to better address vulnerabilities in the system.
Mr. Speaker, H.R. 2331 has bipartisan support, so I once again want
to urge my colleagues to support the measure. I yield back the balance
of my time.
Mr. BALDERSON. Mr. Speaker, I rise today in support of H.R. 2331, the
SBA Cyber Awareness Act of 2019. This bill has had my full support
since its introduction and I am happy to support its passage today.
I want to first thank my good friend, the gentleman from Colorado,
for his leadership on this effort. It is nice to see Congress attempt
to solve problems not only in a bipartisan manner, but also proactively
before problems occur, rather than waiting until something goes wrong.
This bill addresses a potential weakness within the Small Business
Administration's cybersecurity infrastructure. By passing this bill, we
will proactively guard against harmful and widespread cyberattacks by
bringing the Small Business Administration's cybersecurity defenses
into the 21st Century. This bill will protect the sensitive business
and personal information of millions of small business owners across
the country.
In a rapidly-developing digital age, strong cybersecurity protections
and reinforcements are of the utmost importance. Many small businesses
don't have the defensive infrastructure to deal with cyberattacks, A
threat to cybersecurity is a threat to small businesses' vitality.
that's why this bill is so important.
We, as Congress, must lift up the small businesses of America and
ensure they have the support they need to address this ever-changing
online environment. And this bill is a bipartisan example of that.
Once again, I thank my colleague from Colorado for his proactive
leadership, and I urge the passage of H.R. 2331.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from New York (Mr.
[[Page H5809]]
Delgado) that the House suspend the rules and pass the bill, H.R. 2331.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill was passed.
A motion to reconsider was laid on the table.
____________________