[Congressional Record Volume 168, Number 157 (Wednesday, September 28, 2022)]
[Senate]
[Page S5168]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                        SBA CYBER AWARENESS ACT

  Mr. SCHUMER. Mr. President, I ask unanimous consent that the Senate 
proceed to the immediate consideration of Calendar No. 281, H.R. 3462.
  The PRESIDING OFFICER. The clerk will report the bill by title.
  The legislative clerk read as follows:

       A bill (H.R. 3462) to require an annual report on the 
     cybersecurity of the Small Business Administration, and for 
     other purposes.

  There being no objection, the Senate proceeded to consider the bill, 
which had been reported from the Committee on Small Business and 
Entrepreneurship.
  Mr. SCHUMER. I further ask that the Cardin substitute amendment, 
which is at the desk, be considered and agreed to; that the bill, as 
amended, be considered read a third time and passed; and that the 
motion to reconsider be considered made and laid upon the table with no 
intervening action or debate.
  The PRESIDING OFFICER. Without objection, it is so ordered.
  The amendment (No. 6028), in the nature of a substitute, was agreed 
to as follows:

                (Purpose: In the nature of a substitute)

        Strike all after the enacting clause and insert the 
     following:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``SBA Cyber Awareness Act''.

     SEC. 2. CYBERSECURITY AWARENESS REPORTING.

       (a) In General.--Section 10 of the Small Business Act (15 
     U.S.C. 639) is amended by inserting after subsection (a) the 
     following:
       ``(b) Cybersecurity Reports.--
       ``(1) Annual report.--Not later than 180 days after the 
     date of enactment of this subsection, and every year 
     thereafter, the Administrator shall submit a report to the 
     appropriate congressional committees that includes--
       ``(A) a strategy to increase the cybersecurity of 
     information technology infrastructure of the Administration;
       ``(B) a supply chain risk management strategy and an 
     implementation plan to address the risks of foreign 
     manufactured information technology equipment utilized by the 
     Administration, including specific risk mitigation activities 
     for components originating from entities with principal 
     places of business located in the People's Republic of China; 
     and
       ``(C) an account of--
       ``(i) any incident that occurred at the Administration 
     during the 2-year period preceding the date on which the 
     first report is submitted, and, for subsequent reports, the 
     1-year period preceding the date of submission; and
       ``(ii) any action taken by the Administrator to respond to 
     or remediate any such incident.
       ``(2) FISMA reports.--Each report required under paragraph 
     (1) may be submitted as part of the report required under 
     section 3554 of title 44, United States Code.
       ``(3) Rule of construction.--Nothing in this subsection 
     shall be construed to affect the reporting requirements of 
     the Administrator under chapter 35 of title 44, United States 
     Code, in particular the requirement to notify the Federal 
     information security incident center under section 
     3554(b)(7)(C)(ii) of such title, any guidance issued by the 
     Office of Management and Budget, or any other provision of 
     law or Federal policy.
       ``(4) Definitions.--In this subsection:
       ``(A) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(i) the Committee on Small Business and Entrepreneurship 
     of the Senate;
       ``(ii) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(iii) the Committee on Small Business of the House of 
     Representatives; and
       ``(iv) the Committee on Oversight and Reform of the House 
     of Representatives.
       ``(B) Incident.--The term `incident' has the meaning given 
     the term in section 3552 of title 44, United States Code.
       ``(C) Information technology.--The term `information 
     technology' has the meaning given the term in section 3502 of 
     title 44, United States Code.''.
       (b) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Administrator of the Small 
     Business Administration shall, to the greatest extent 
     practicable, provide to the Committee on Small Business and 
     Entrepreneurship of the Senate, the Committee on Homeland 
     Security and Governmental Affairs of the Senate, the 
     Committee on Small Business of the House of Representatives, 
     and the Committee on Oversight and Reform of the House of 
     Representatives a detailed account of information technology 
     (as defined in section 3502 of title 44, United States Code) 
     of the Small Business Administration that was manufactured by 
     an entity that has its principal place of business located in 
     the People's Republic of China.

  The bill (H.R. 3462), as amended, was ordered to a third reading, was 
read the third time, and passed.

                          ____________________