[Congressional Record Volume 167, Number 192 (Tuesday, November 2, 2021)]
[House]
[Pages H6088-H6090]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                        SBA CYBER AWARENESS ACT

  Ms. VELAZQUEZ. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 3462) to require an annual report on the cybersecurity of 
the Small Business Administration, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3462

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``SBA Cyber Awareness Act''.

     SEC. 2. CYBERSECURITY AWARENESS REPORTING.

       Section 10 of the Small Business Act (15 U.S.C. 639) is 
     amended by inserting after subsection (a) the following:
       ``(b) Cybersecurity Reports.--
       ``(1) Annual report.--Not later than 180 days after the 
     date of enactment of this subsection, and every year 
     thereafter, the Administrator shall submit a report to the 
     appropriate congressional committees that includes--
       ``(A) an assessment of the information technology (as 
     defined in section 11101 of title 40, United States Code) and 
     cybersecurity infrastructure of the Administration;
       ``(B) a strategy to increase the cybersecurity 
     infrastructure of the Administration;
       ``(C) a detailed account of any information technology 
     equipment or interconnected system or subsystem of equipment 
     of the Administration that was manufactured by an entity that 
     has its principal place of business located in the People's 
     Republic of China; and
       ``(D) an account of any cybersecurity risk or incident that 
     occurred at the Administration during the 2-year period 
     preceding the date on which the report is submitted, and any 
     action taken by the Administrator to respond to or remediate 
     any such cybersecurity risk or incident.
       ``(2) Additional reports.--If the Administrator determines 
     that there is a reasonable basis to conclude that a 
     cybersecurity risk or incident occurred at the 
     Administration, the Administrator shall--
       ``(A) not later than 7 days after the date on which the 
     Administrator makes that determination, notify the 
     appropriate congressional committees of the cybersecurity 
     risk or incident; and
       ``(B) not later than 30 days after the date on which the 
     Administrator makes a determination under subparagraph (A)--
       ``(i) provide notice to individuals and small business 
     concerns affected by the cybersecurity risk or incident; and

[[Page H6089]]

       ``(ii) submit to the appropriate congressional committees a 
     report, based on information available to the Administrator 
     as of the date which the Administrator submits the report, 
     that includes--

       ``(I) a summary of information about the cybersecurity risk 
     or incident, including how the cybersecurity risk or incident 
     occurred; and
       ``(II) an estimate of the number of individuals and small 
     business concerns affected by the cybersecurity risk or 
     incident, including an assessment of the risk of harm to 
     affected individuals and small business concerns.

       ``(3) Rule of construction.--Nothing in this subsection 
     shall be construed to affect the reporting requirements of 
     the Administrator under chapter 35 of title 44, United States 
     Code, in particular the requirement to notify the Federal 
     information security incident center under section 
     3554(b)(7)(C)(ii) of such title, or any other provision of 
     law.
       ``(4) Definitions.--In this subsection:
       ``(A) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(i) the Committee on Small Business and Entrepreneurship 
     of the Senate; and
       ``(ii) the Committee on Small Business of the House of 
     Representatives.
       ``(B) Cybersecurity risk; incident.--The terms 
     `cybersecurity risk' and `incident' have the meanings given 
     such terms, respectively, under section 2209(a) of the 
     Homeland Security Act of 2002.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Ms. Velazquez) and the gentleman from Missouri (Mr. 
Luetkemeyer) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. VELAZQUEZ. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and to include any extraneous material on the measure under 
consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I rise in support of H.R. 3462, the SBA Cyber Awareness 
Act. This bill directs the SBA to issue reports that assess its 
cybersecurity infrastructure and report cyber threats, breaches, and 
attacks.
  For more than 25 years, the SBA's Office of Inspector General has 
listed IT security as one of the most serious management and 
performance challenges facing the agency. These vulnerabilities were 
further exposed during the rollout of the SBA's COVID-19 relief 
programs. The unprecedented demand for the SBA's relief programs 
inundated SBA's legacy systems leading to back-end system crashes, 
portals operating slowly, and a glitch that led to a data breach of 
applicants' personal information.
  SBA failed to make any public announcement about the data breach, and 
it took weeks for the agency to send paper notifications to affected 
individuals.
  The SBA has taken the necessary steps to recover from these 
incidents, but we want a notification system in place before the next 
cybersecurity breach.
  This bill sets new reporting requirements to ensure congressional and 
public awareness of cyber incidents at the SBA. I would like to thank 
my colleagues, Mr. Jason Crow from Colorado and Mrs. Young Kim from 
California, for introducing this bill.
  Mr. Speaker, I urge my colleagues to support this bill, and I reserve 
the balance of my time.

                              {time}  1300

  Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I rise in support of H.R. 3462, the SBA Cyber Awareness 
Act.
  Mr. Speaker, the importance of being cyber ready cannot be 
overstated. This goes for individuals, businesses, and even our Federal 
Government.
  H.R. 3462 takes important strides to ensure the agency that was 
created to assist and aid the Nation's smallest firms, the Small 
Business Administration, has the ability to access its own 
cybersecurity framework.
  Additionally, H.R. 3462 requires the SBA to report to Congress on its 
cyber infrastructure.
  Unfortunately, cyberattacks are too common in today's world. 
Vulnerabilities will be used and taken advantage of by criminals.
  We must take steps now to enhance and protect our Federal Government. 
H.R. 3462 does just that.
  I want to thank the gentleman from Colorado (Mr. Crow) and the 
gentlewoman from California (Mrs. Kim) for having the foresight to work 
on such an important measure. I also thank the chair for pushing 
forward this legislation. H.R. 3462 was favorably reported out of the 
Committee on Small Business in July.
  Mr. Speaker, I urge my colleagues to pass the bill today on the House 
floor, and I reserve the balance of my time.
  Ms. VELAZQUEZ. Mr. Speaker, I yield such time as he may consume to 
the gentleman from Colorado (Mr. Crow).
  Mr. CROW. Mr. Speaker, I rise today in support of H.R. 3462, the 
bipartisan SBA Cyber Awareness Act.
  As we all know, small businesses are the backbone of our economy, and 
they are certainly the backbone of my community. However, these small 
businesses are also increasingly the target of cyberattacks and theft 
of data and intellectual property.
  Unfortunately, Federal agencies are not immune to such attacks 
either. For more than 20 years, SBA's Office of Inspector General has 
listed IT security as one of the most serious management and 
performance challenges facing the agency.
  During the pandemic, demand for relief programs like PPP and EIDL 
have overwhelmed SBA's IT systems. As a result, a glitch in the EIDL 
application system led to an exposure of personal information of over 
8,000 applicants with no public announcement of the data breach until 
weeks later.
  The SBA Cyber Awareness Act would direct SBA to issue an annual 
report assessing its cybersecurity infrastructure. The bill would also 
require the SBA to report cyber-threats, breaches, and cyberattacks to 
the House Small Business Committee and the Senate Small Business and 
Entrepreneurship Committee and notify affected individuals and small 
businesses within 30 days of an incident.
  Cyberattacks are one of the biggest threats to our economy, small 
businesses, and way of life. This bill would ensure that we are doing 
everything we can to protect the millions of small businesses that the 
SBA serves and prepare them for 21st century threats.
  I would like to thank Chairwoman Velazquez and Ranking Member 
Luetkemeyer for the bipartisan support and my friend, Young Kim from 
California, for joining with me on this very important effort.
  Mr. Speaker, I encourage all of my colleagues to join with us and 
support this bill.
  Mr. LUETKEMEYER. Mr. Speaker, I yield such time as she may consume to 
the gentlewoman from California (Mrs. Kim).
  Mrs. KIM of California. Mr. Speaker, I would like to thank Ranking 
Member Luetkemeyer and Chairwoman Velazquez for their leadership in 
bringing these bipartisan pieces of legislation to the House floor for 
votes today.
  I rise in strong support of H.R. 3462, the SBA Cyber Awareness Act. 
This is a bill I have had the pleasure to co-lead with my colleague, 
Representative Jason Crow of Colorado, to improve the Small Business 
Administration's transparency and alert mechanisms when a cyberattack 
or intrusion takes place.
  Under the legislation, the SBA will be required to conduct an annual 
assessment of IT equipment and cybersecurity capabilities and provide 
Congress with a detailed account of any cybersecurity risk of SBA 
equipment that was primarily manufactured in the People's Republic of 
China. Additionally, under this bill, the legislation directs the SBA 
Administrator to notify Congress and small businesses of a cyberattack 
within 30 days after the SBA decides that it was subject to a cyber 
hack.
  Fifty percent of small businesses with 500 or less employees say it 
is very likely that they will experience a cyberattack in the next 12 
months, and 1 in 4 are experiencing more cyberattacks compared to a 
year ago. During the COVID-19 pandemic, the SBA handled a record number 
of loans and services to help small businesses in need. With that came 
a higher number of sensitive personal and business information that was 
handled by the Federal Government.

[[Page H6090]]

  We must ensure entrepreneurs and small business owners have the 
confidence that the SBA has the IT capabilities and tools to keep their 
information safe from cyberattacks. This bill, H.R. 3462, is an 
important step in doing just that.
  Mr. Speaker, I urge my colleagues from both sides of the aisle to 
support H.R. 3462.
  Ms. VELAZQUEZ. Mr. Speaker, I am prepared to close, and I reserve the 
balance of my time.
  Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may 
consume for the purpose of closing.
  Mr. Speaker, I believe now is the time to act to prepare our 
financial institutions for cyber intrusions. Requiring the SBA to 
assess its own cyber infrastructure is an important step to ensure the 
agency can continue to serve as a leader for our Nation's 31 million 
small businesses.
  Congress should make certain that the Federal Government is cyber 
prepared on behalf of the Nation's small businesses, entrepreneurs, and 
start-ups.
  Mr. Speaker, I encourage my colleagues to support H.R. 3462, and I 
yield back the balance of my time.
  Ms. VELAZQUEZ. Mr. Speaker, H.R. 3462 adds new layers of 
Congressional oversight to regularly assess SBA's IT and cybersecurity 
systems and controls, and it will go a long way to increase 
transparency in the event of another IT or cyber incident.
  Congress and the American people need to know that the SBA's systems 
are fully operational and capable of handling the next surge. This bill 
takes a step towards rebuilding the trust and confidence in the SBA's 
IT infrastructure.
  Mr. Speaker, I thank my colleagues for their work, I urge Members to 
vote ``yes'' on this bill, and I yield back the balance of my time.
  Ms. JACKSON LEE. Mr. Speaker, I rise in support of H.R. 3462, the 
``SBA Cyber Awareness Act,'' which will strengthen our knowledge of 
cybersecurity threats to the small businesses of America.
  In short, this bill mainly requires that the Small Business 
Administration (SBA) conduct an annual report that assesses the 
cybersecurity infrastructure of the SBA.
  Mr. Speaker, the unfortunate reality is that our Nation's small 
businesses are under attack--they are increasingly the target of 
cybersecurity breaches.
  In fact, the SBA has listed IT security as one of the most serious 
management challenges facing the administration for more than twenty 
years.
  Fifty percent of small businesses say that it is likely they will 
experience a cyberattack in the next twelve months.
  One in four small businesses indicate that they are facing more 
cyberattacks compared to a year ago.
  Small businesses are the backbone of this country, and we owe it to 
them to be diligently aware of threats to their private information and 
their livelihoods.
  That is why I rise in ardent support of the SBA Cyber Awareness Act, 
and that is why the bill has bipartisan backing.
  Lastly, I want to thank Congressman Crow and Congresswoman Kim for 
introducing and shepherding this bill.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Ms. Velazquez) that the House suspend the 
rules and pass the bill, H.R. 3462.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mrs. BOEBERT. Mr. Speaker, on that I demand the yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________