[Congressional Record Volume 168, Number 157 (Wednesday, September 28, 2022)]
[Senate]
[Pages S5264-S5265]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

  SA 5789. Ms. ROSEN (for herself and Mr. Cornyn) submitted an 
amendment intended to be proposed to amendment SA 5499 submitted by Mr. 
Reed (for himself and Mr. Inhofe) and intended to be proposed to the 
bill H.R. 7900, to authorize appropriations for fiscal year 2023 for 
military activities of the Department of Defense, for military 
construction, and for defense activities of the Department of Energy, 
to prescribe military personnel strengths for such fiscal year, and for 
other purposes; which was ordered to lie on the table; as follows:

        At the appropriate place, insert the following:

     SEC. __. IMPROVING CYBERSECURITY OF SMALL ENTITIES.

       (a) Definitions.--In this section:
       (1) Administrator.--The term ``Administrator'' means the 
     Administrator of the Small Business Administration.
       (2) Annual cybersecurity report; small business; small 
     entity; small governmental jurisdiction; small 
     organization.--The terms ``annual cybersecurity report'', 
     ``small business'', ``small entity'', ``small governmental 
     jurisdiction'', and ``small organization'' have the meanings 
     given those terms in section 2220E of the Homeland Security 
     Act of 2002, as added by subsection (b).
       (3) CISA.--The term ``CISA'' means the Cybersecurity and 
     Infrastructure Security Agency.
       (4) Commission.--The term ``Commission'' means the Federal 
     Trade Commission.
       (5) Secretary.--The term ``Secretary'' means the Secretary 
     of Commerce.
       (b) Annual Report.--
       (1) Amendment.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
     adding at the end the following:

     ``SEC. 2220E. ANNUAL CYBERSECURITY REPORT FOR SMALL ENTITIES.

       ``(a) Definitions.--
       ``(1) Administration.--The term `Administration' means the 
     Small Business Administration.
       ``(2) Administrator.--The term `Administrator' means the 
     Administrator of the Administration.
       ``(3) Annual cybersecurity report.--The term `annual 
     cybersecurity report' means the annual cybersecurity report 
     published and promoted under subsections (b) and (c), 
     respectively.
       ``(4) Commission.--The term `Commission' means the Federal 
     Trade Commission.
       ``(5) Electronic device.--The term `electronic device' 
     means any electronic equipment that is--
       ``(A) used by an employee or contractor of a small entity 
     for the purpose of performing work for the small entity;
       ``(B) capable of connecting to the internet or another 
     communication network; and
       ``(C) capable of sending, receiving, or processing personal 
     information.
       ``(6) NIST.--The term `NIST' means the National Institute 
     of Standards and Technology.
       ``(7) Small business.--The term `small business' has the 
     meaning given the term `small business concern' in section 3 
     of the Small Business Act (15 U.S.C. 632).
       ``(8) Small entity.--The term `small entity' means--
       ``(A) a small business;
       ``(B) a small governmental jurisdiction; and
       ``(C) a small organization.
       ``(9) Small governmental jurisdiction.--The term `small 
     governmental jurisdiction' means governments of cities, 
     counties, towns, townships, villages, school districts, or 
     special districts with a population of less than 50,000.
       ``(10) Small organization.--The term `small organization' 
     means any not-for-profit enterprise that is independently 
     owned and operated and is not dominant in its field.
       ``(b) Annual Cybersecurity Report.--
       ``(1) In general.--Not later than 180 days after the date 
     of enactment of this section, and not less frequently than 
     annually thereafter, the Director shall publish a report for 
     small entities that documents and promotes evidence-based 
     cybersecurity policies and controls for use by small 
     entities, which shall--
       ``(A) include basic controls that have the most impact in 
     protecting small entities against common cybersecurity 
     threats and risks;
       ``(B) include protocols and policies to address common 
     cybersecurity threats and risks posed by electronic devices, 
     regardless of whether the electronic devices are--
       ``(i) issued by the small entity to employees and 
     contractors of the small entity; or
       ``(ii) personal to the employees and contractors of the 
     small entity; and
       ``(C) recommend, as practicable--
       ``(i) measures to improve the cybersecurity of small 
     entities; and
       ``(ii) configurations and settings for some of the most 
     commonly used software that can improve the cybersecurity of 
     small entities.
       ``(2) Existing recommendations.--The Director shall ensure 
     that each annual cybersecurity report incorporates--
       ``(A) cybersecurity resources developed by NIST, as 
     required by the NIST Small Business Cybersecurity Act (Public 
     Law 115-236); and
       ``(B) the most recent version of the Cybersecurity 
     Framework, or successor resource, maintained by NIST.
       ``(3) Consideration for specific types of small entities.--
     The Director may include and prioritize the development of 
     cybersecurity recommendations, as required under paragraph 
     (1), appropriate for specific types of small entities in 
     addition to recommendations applicable for all small 
     entities.
       ``(4) Consultation.--In publishing the annual cybersecurity 
     report, the Director shall, to the degree practicable and as 
     appropriate, consult with--
       ``(A) the Administrator, the Secretary of Commerce, the 
     Commission, and the Director of NIST;
       ``(B) small entities, insurers, State governments, 
     companies that work with small entities, and academic and 
     Federal and non-Federal experts in cybersecurity; and
       ``(C) any other entity as determined appropriate by the 
     Director.
       ``(c) Promotion of Annual Cybersecurity Report for Small 
     Businesses.--
       ``(1) Publication.--The annual cybersecurity report, and 
     previous versions of the report as appropriate, shall be--
       ``(A) made available, prominently and free of charge, on 
     the public website of the Agency; and
       ``(B) linked to from relevant portions of the websites of 
     the Administration and the Minority Business Development 
     Agency, as determined by the Administrator and the Director 
     of the Minority Business Development Agency, respectively.
       ``(2) Promotion generally.--The Director, the 
     Administrator, and the Secretary of Commerce shall, to the 
     degree practicable, promote the annual cybersecurity report 
     through relevant resources that are intended for or known to 
     be regularly used by small entities, including agency 
     documents, websites, and events.
       ``(d) Training and Technical Assistance.--The Director, the 
     Administrator, and the Director of the Minority Business 
     Development Agency shall make available to employees of small 
     entities voluntary training and technical assistance on how 
     to implement the recommendations of the annual cybersecurity 
     report.''.
       (2) Technical and conforming amendment.--The table of 
     contents in section 1(b) of the Homeland Security Act of 2002 
     (Public 107-296; 116 Stat. 2135) is amended--
       (A) by moving the item relating to section 2220D to appear 
     after the item relating to section 2220C; and
       (B) by inserting after the item relating to section 2220D 
     the following:

``Sec. 2220E. Annual cybersecurity report for small entities.''.
       (c) Report to Congress.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, and annually thereafter for 10 years, 
     the Secretary shall submit to Congress a report describing 
     methods to improve the cybersecurity of small entities, 
     including through the adoption of policies, controls, and 
     classes of products and services that have been demonstrated 
     to reduce cybersecurity risk.
       (2) Matters to be included.--The report required under 
     paragraph (1) shall--
       (A) identify barriers or challenges for small entities in 
     purchasing or acquiring

[[Page S5265]]

     classes of products and services that promote the 
     cybersecurity of small entities;
       (B) assess market availability, market pricing, and 
     affordability of classes of products and services that 
     promote the cybersecurity of small entities, with particular 
     attention to identifying high-risk and underserved sectors or 
     regions;
       (C) estimate the costs and benefits of policies that 
     promote the cybersecurity of small entities, including--
       (i) tax breaks;
       (ii) grants and subsidies; and
       (iii) other incentives as determined appropriate by the 
     Secretary;
       (D) describe evidence-based cybersecurity controls and 
     policies that improve the cybersecurity of small entities;
       (E) with respect to the incentives described in 
     subparagraph (C), recommend measures that can effectively 
     improve cybersecurity at scale for small entities; and
       (F) include any other matters as the Secretary determines 
     relevant.
       (3) Specific sectors of small entities.--In preparing the 
     report required under paragraph (1), the Secretary may 
     include matters applicable for specific sectors of small 
     entities in addition to matters applicable to all small 
     entities.
       (4) Consultation.--In preparing the report required under 
     paragraph (1), the Secretary shall consult with--
       (A) the Administrator, the Director of CISA, and the 
     Commission; and
       (B) small entities, insurers of risks related to 
     cybersecurity, State governments, cybersecurity and 
     information technology companies that work with small 
     entities, and academic and Federal and non-Federal experts in 
     cybersecurity.
       (d) Periodic Census on State of Cybersecurity of Small 
     Businesses.--
       (1) In general.--Not later than 1 year after the date of 
     enactment of this Act, and not less frequently than every 24 
     months thereafter for 10 years, the Administrator shall 
     submit to Congress and make publicly available data on the 
     state of cybersecurity of small businesses, including, to the 
     extent practicable--
       (A) adoption of the cybersecurity recommendations from the 
     annual cybersecurity report among small businesses;
       (B) the most significant and widespread cybersecurity 
     threats facing small businesses;
       (C) the amount small businesses spend on cybersecurity 
     products and services; and
       (D) the personnel small businesses dedicate to 
     cybersecurity, including the amount of total personnel time, 
     whether by employees or contractors, dedicated to 
     cybersecurity efforts.
       (2) Voluntary participation.--In carrying out paragraph 
     (1), the Administrator shall collect data from small 
     businesses that participate on a voluntary basis.
       (3) Form.--The data required under paragraph (1) shall be 
     produced in unclassified form but may contain a classified 
     annex.
       (4) Consultation.--In preparing to collect the data 
     required under paragraph (1), the Administrator shall consult 
     with--
       (A) the Secretary, the Director of CISA, and the 
     Commission; and
       (B) small businesses, insurers of risks related to 
     cybersecurity, cybersecurity and information technology 
     companies that work with small businesses, and academic and 
     Federal and non-Federal experts in cybersecurity.
       (5) Privacy.--In carrying out this subsection, the 
     Administrator shall ensure that any publicly available data 
     is anonymized and does not reveal personally identifiable 
     information.
       (e) Rule of Construction.--Nothing in this section or the 
     amendments made by this section shall be construed to provide 
     any additional regulatory authority to CISA.
                                 ______