[Congressional Record Volume 167, Number 87 (Wednesday, May 19, 2021)]
[Senate]
[Pages S2800-S2801]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 1552. Mr. RISCH (for himself, Ms. Cortez Masto, and Ms. Rosen) 
submitted an amendment intended to be proposed by him to the bill S. 
1260, to establish a new Directorate for Technology and Innovation in 
the National Science Foundation, to establish a regional technology hub 
program, to require a strategy and report on economic security, 
science, research, innovation, manufacturing, and job creation, to 
establish a critical supply chain resiliency program, and for other 
purposes; which was ordered to lie on the table; as follows:

       At the appropriate place, insert the following:

     SEC. ___. STRENGTHENING AND ENHANCING CYBERSECURITY USAGE TO 
                   REACH SMALL BUSINESSES.

       (a) Definitions.--In this section:
       (1) Administrator.--The term ``Administrator'' means the 
     Administrator of the Small Business Administration.
       (2) Covered industry sectors.--The term ``covered industry 
     sectors'' means the following industry sectors:
       (A) Accommodation and food services.
       (B) Agriculture.
       (C) Construction.
       (D) Healthcare and social assistance.
       (E) Retail and wholesale trade.
       (F) Transportation and warehousing.
       (G) Entertainment and recreation.
       (H) Finance and insurance.
       (I) Manufacturing.
       (J) Information and telecommunications.
       (K) Any other industry sector that the Administrator 
     determines to be relevant.
       (3) Covered vendor.--The term ``covered vendor'' means a 
     vendor of cybersecurity products and services, including 
     cybersecurity risk insurance.
       (4) Cybersecurity.--The term ``cybersecurity'' means--
       (A) the art of protecting networks, devices, and data from 
     unauthorized access or criminal use; and
       (B) the practice of ensuring the confidentiality, 
     integrity, and availability of information.
       (5) Cybersecurity threat.--The term ``cybersecurity 
     threat'' means the possibility of a malicious attempt to 
     infiltrate, damage, disrupt, or destroy computer networks or 
     systems.

[[Page S2801]]

       (6) Small business concern.--The term ``small business 
     concern'' has the meaning given the term in section 3(a) of 
     the Small Business Act (15 U.S.C. 632(a)).
       (b) Cybersecurity Cooperative Marketplace Program.--
       (1) Establishment.--Not later than 180 days after the date 
     of enactment of this Act, the Administrator, in consultation 
     with the Director of the National Institute of Standards and 
     Technology, shall establish a program to assist small 
     business concerns with purchasing cybersecurity products and 
     services.
       (2) Duties.--In carrying out the program established under 
     paragraph (1), the Administrator shall--
       (A) educate small business concerns about the types of 
     cybersecurity products and services that are specific to each 
     covered industry sector; and
       (B) provide outreach to covered vendors and small business 
     concerns to encourage use of the cooperative marketplace 
     described in paragraph (3).
       (3) Cooperative marketplace for purchasing cybersecurity 
     products and services.--The Administrator shall--
       (A) establish and maintain a website that--
       (i) is free to use for small business concerns and covered 
     vendors; and
       (ii) provides a cooperative marketplace that facilitates 
     the creation of mutual agreements under which small business 
     concerns cooperatively purchase cybersecurity products and 
     services from covered vendors; and
       (B) determine whether each covered vendor and each small 
     business concern that participates in the marketplace 
     described in subparagraph (A) is legitimate, as determined by 
     the Administrator.
       (4) Sunset.--This subsection ceases to be effective on 
     September 30, 2024.
       (c) GAO Study on Available Federal Cybersecurity 
     Initiatives.--
       (1) In general.--The Comptroller General of the United 
     States shall conduct a study that identifies any improvements 
     that could be made to Federal initiatives that--
       (A) train small business concerns how to avoid 
     cybersecurity threats; and
       (B) are in effect on the date on which the Comptroller 
     General commences the study.
       (2) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Comptroller General of the United 
     States shall submit to the Committee on Small Business and 
     Entrepreneurship of the Senate and the Committee on Small 
     Business of the House of Representatives a report that 
     contains the results of the study required under paragraph 
     (1).
                                 ______