[Congressional Record Volume 168, Number 188 (Monday, December 5, 2022)]
[House]
[Pages H8736-H8738]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
{time} 1430
SBA CYBER AWARENESS ACT
Ms. VELAZQUEZ. Mr. Speaker, I move to suspend the rules and concur in
the Senate amendment to the bill (H.R. 3462) to require an annual
report on the cybersecurity of the Small Business Administration, and
for other purposes.
The Clerk read the title of the bill.
The text of the Senate amendment is as follows:
Senate amendment:
Strike out all after the enacting clause and insert:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
(a) In General.--Section 10 of the Small Business Act (15
U.S.C. 639) is amended by inserting after subsection (a) the
following:
``(b) Cybersecurity Reports.--
``(1) Annual report.--Not later than 180 days after the
date of enactment of this subsection, and every year
thereafter, the Administrator shall submit a report to the
appropriate congressional committees that includes--
``(A) a strategy to increase the cybersecurity of
information technology infrastructure of the Administration;
``(B) a supply chain risk management strategy and an
implementation plan to address the risks of foreign
manufactured information technology equipment utilized by the
Administration, including specific risk mitigation activities
for components originating from entities with principal
places of business located in the People's Republic of China;
and
``(C) an account of--
``(i) any incident that occurred at the Administration
during the 2-year period preceding the date on which the
first report is submitted, and, for subsequent reports, the
1-year period preceding the date of submission; and
``(ii) any action taken by the Administrator to respond to
or remediate any such incident.
``(2) FISMA reports.--Each report required under paragraph
(1) may be submitted as part of the report required under
section 3554 of title 44, United States Code.
``(3) Rule of construction.--Nothing in this subsection
shall be construed to affect the reporting requirements of
the Administrator under chapter 35 of title 44, United States
Code, in particular the requirement to notify the Federal
information security incident center under section
3554(b)(7)(C)(ii) of such title, any guidance
[[Page H8737]]
issued by the Office of Management and Budget, or any other
provision of law or Federal policy.
``(4) Definitions.--In this subsection:
``(A) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(i) the Committee on Small Business and Entrepreneurship
of the Senate;
``(ii) the Committee on Homeland Security and Governmental
Affairs of the Senate;
``(iii) the Committee on Small Business of the House of
Representatives; and
``(iv) the Committee on Oversight and Reform of the House
of Representatives.
``(B) Incident.--The term `incident' has the meaning given
the term in section 3552 of title 44, United States Code.
``(C) Information technology.--The term `information
technology' has the meaning given the term in section 3502 of
title 44, United States Code.''.
(b) Report.--Not later than 1 year after the date of
enactment of this Act, the Administrator of the Small
Business Administration shall, to the greatest extent
practicable, provide to the Committee on Small Business and
Entrepreneurship of the Senate, the Committee on Homeland
Security and Governmental Affairs of the Senate, the
Committee on Small Business of the House of Representatives,
and the Committee on Oversight and Reform of the House of
Representatives a detailed account of information technology
(as defined in section 3502 of title 44, United States Code)
of the Small Business Administration that was manufactured by
an entity that has its principal place of business located in
the People's Republic of China.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
New York (Ms. Velazquez) and the gentleman from Missouri (Mr.
Luetkemeyer) each will control 20 minutes.
The Chair recognizes the gentlewoman from New York.
General Leave
Ms. VELAZQUEZ. Mr. Speaker, I ask unanimous consent that all Members
may have 5 legislative days in which to revise and extend their remarks
and include extraneous material on the measure under consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from New York?
There was no objection.
Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may
consume.
Mr. Speaker, I thank all the members of the Small Business Committee
for their hard work this Congress on behalf of our Nation's 32 million
small business owners.
These bills will help small firms in a number of areas: strengthen
cybersecurity and broadband access, improve exporting, and enhance
recovery assistance from natural disasters.
They are the product of the bipartisan and bicameral work of the
House and Senate Small Business Committees. I hope that we can come
together today and approve these bills.
First, we will consider H.R. 3462, the SBA Cyber Awareness Act, as
amended and passed by the Senate. For more than 20 years, the SBA's IG
has listed IT security as one of the most serious management and
performance challenges for SBA. These vulnerabilities were exposed
during the rollout of the SBA COVID-19 relief programs.
The unprecedented demand for programs like PPP and the COVID EIDL
overwhelmed the SBA's legacy system, leading to back-end crashes, slow
portal operations, and a breach that exposed applicants' personal
information. SBA failed to make any public announcement about the data
breach, and it took weeks for the agency to send paper notifications to
affected individuals.
H.R. 3462 would require the SBA to assess its cybersecurity
procedures and submit a cybersecurity report to Congress within 180
days of passage and annually thereafter.
SBA possesses sensitive information belonging to countless American
small business owners. We must ensure this data is protected from bad
actors in cyberspace.
The Senate-passed version we are voting on today reinforces reporting
requirements established by the Federal Information Security Management
Act of 2002.
I support the changes and thank the Senate for improving this
legislation. I thank Mr. Crow of Colorado and Mrs. Kim of California
for introducing and championing this bill. Their relentless efforts on
this issue is why we are here today.
Mr. Speaker, I urge my colleagues to support H.R. 3462, as amended by
the Senate, and I reserve the balance of my time.
Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may
consume and rise in support of H.R. 3462, the SBA Cyber Awareness Act,
as amended by the Senate.
Cyberattacks are too common in today's world. They cost the U.S.
economy billions of dollars each year and have the ability to harm and
shut down small businesses, which often operate on the thinnest of
margins.
Any cyber intrusion on a small business creates great pain and
uncertainty. H.R. 3462 takes important steps to enhance and support our
small businesses and the Federal Government from bad actors.
This bill strengthens cybersecurity operations at the Small Business
Administration by requiring the agency to issue a report to Congress
that assesses its ability to respond to cyber threats.
Additionally, H.R. 3462 requires the SBA to assess its own
cybersecurity framework and report on any incidents in a timely
fashion.
H.R. 3462 passed the House last year with a vote of 423-0, Mr.
Speaker, and was recently approved by the Senate with an amendment to
strengthen reporting requirements by focusing on supply chain and
foreign technology risk.
I thank the gentleman from Colorado (Mr. Crow), the gentlewoman from
California (Mrs. Kim), and the gentleman from Nebraska (Mr. Flood) for
working together to protect small businesses, as well as our Senate
colleagues who worked on this bill. I also thank the chair for pushing
this bill forward.
I urge my colleagues to support the Senate amendment to H.R. 3462,
and I reserve the balance of my time.
Ms. VELAZQUEZ. Mr. Speaker, I yield 3 minutes to the gentleman from
Colorado (Mr. Crow).
Mr. CROW. Mr. Speaker, I rise today in support of H.R. 3462, the
bipartisan SBA Cyber Awareness Act.
The Small Business Administration supports small businesses in every
corner of the country. With the support of Congress, the SBA has gone
to bat for small businesses during the COVID-19 pandemic through relief
programs like PPP and EIDL. Yet, year after year, the SBA's Office of
Inspector General has found that IT security is one of the agency's
most serious management and performance challenges.
The pandemic highlighted the gaps in the agency's cybersecurity. As a
result of high demand, a glitch in the EIDL application exposed the
personal information of over 8,000 applicants.
We need to bolster the SBA's cybersecurity so that the SBA can better
protect small businesses' information and continue to help small
businesses nationwide.
My bill, the SBA Cyber Awareness Act, would direct the SBA to issue
an annual report on the agency's cybersecurity strategy, as well as
disclosure of recent threats and breaches. Under this bill, the SBA
would also report on its supply chain risk management strategy and
issue a plan to address the risks of foreign manufactured information
technology used by the agency, including components originating from
the People's Republic of China.
This bill passed the Senate by unanimous consent, and a similar
version passed the House of Representatives unopposed last year in
November 2021.
I thank the bill's Republican co-lead, Representative Young Kim, for
her support, as well as Chairwoman Velazquez, Ranking Member
Luetkemeyer, and the staff of the Small Business Committee, all of whom
have been critical in advancing this measure.
Mr. Speaker, I urge my colleagues to join me again in supporting this
commonsense bill to support SBA cybersecurity.
Mr. LUETKEMEYER. Mr. Speaker, I yield myself the balance of my time.
Mr. Speaker, the threat of a cyberattack on a small business is
constant. A cyber intrusion, no matter the magnitude, could have
devastating and consequential impacts for the Nation's smallest
businesses.
We must ensure the agency charged with helping the Nation's over 33
million small businesses is prepared. H.R. 3462 and the Senate's
corresponding amendment do just that.
Mr. Speaker, I encourage my colleagues to support the legislation
before us today that will better protect the Federal Government and
America's small businesses from cyberattack, and I yield back the
balance of my time.
Ms. VELAZQUEZ. Mr. Speaker, I yield myself the balance of my time.
[[Page H8738]]
Mr. Speaker, the average cost of a data breach in the United States
is over $9 million. For small businesses operating on razor-thin
margins, an event like this can be catastrophic.
Small businesses must be confident that SBA systems are fully
operational and capable of protecting their sensitive data. H.R. 3462
will go a long way toward rebuilding trust in the agency's IT
infrastructure.
I thank my colleagues, Mr. Crow of Colorado and Mrs. Kim of
California, for their leadership on this issue.
Mr. Speaker, I urge my colleagues to concur with the Senate amendment
to the bill, H.R. 3462, and I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentlewoman from New York (Ms. Velazquez) that the House suspend the
rules and concur in the Senate amendment to the bill, H.R. 3462.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. ROSENDALE. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.
____________________