[Congressional Record Volume 168, Number 188 (Monday, December 5, 2022)]
[House]
[Pages H8736-H8738]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                              {time}  1430
                        SBA CYBER AWARENESS ACT

  Ms. VELAZQUEZ. Mr. Speaker, I move to suspend the rules and concur in 
the Senate amendment to the bill (H.R. 3462) to require an annual 
report on the cybersecurity of the Small Business Administration, and 
for other purposes.
  The Clerk read the title of the bill.
  The text of the Senate amendment is as follows:
  Senate amendment:

       Strike out all after the enacting clause and insert:

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``SBA Cyber Awareness Act''.

     SEC. 2. CYBERSECURITY AWARENESS REPORTING.

       (a) In General.--Section 10 of the Small Business Act (15 
     U.S.C. 639) is amended by inserting after subsection (a) the 
     following:
       ``(b) Cybersecurity Reports.--
       ``(1) Annual report.--Not later than 180 days after the 
     date of enactment of this subsection, and every year 
     thereafter, the Administrator shall submit a report to the 
     appropriate congressional committees that includes--
       ``(A) a strategy to increase the cybersecurity of 
     information technology infrastructure of the Administration;
       ``(B) a supply chain risk management strategy and an 
     implementation plan to address the risks of foreign 
     manufactured information technology equipment utilized by the 
     Administration, including specific risk mitigation activities 
     for components originating from entities with principal 
     places of business located in the People's Republic of China; 
     and
       ``(C) an account of--
       ``(i) any incident that occurred at the Administration 
     during the 2-year period preceding the date on which the 
     first report is submitted, and, for subsequent reports, the 
     1-year period preceding the date of submission; and
       ``(ii) any action taken by the Administrator to respond to 
     or remediate any such incident.
       ``(2) FISMA reports.--Each report required under paragraph 
     (1) may be submitted as part of the report required under 
     section 3554 of title 44, United States Code.
       ``(3) Rule of construction.--Nothing in this subsection 
     shall be construed to affect the reporting requirements of 
     the Administrator under chapter 35 of title 44, United States 
     Code, in particular the requirement to notify the Federal 
     information security incident center under section 
     3554(b)(7)(C)(ii) of such title, any guidance

[[Page H8737]]

     issued by the Office of Management and Budget, or any other 
     provision of law or Federal policy.
       ``(4) Definitions.--In this subsection:
       ``(A) Appropriate congressional committees.--The term 
     `appropriate congressional committees' means--
       ``(i) the Committee on Small Business and Entrepreneurship 
     of the Senate;
       ``(ii) the Committee on Homeland Security and Governmental 
     Affairs of the Senate;
       ``(iii) the Committee on Small Business of the House of 
     Representatives; and
       ``(iv) the Committee on Oversight and Reform of the House 
     of Representatives.
       ``(B) Incident.--The term `incident' has the meaning given 
     the term in section 3552 of title 44, United States Code.
       ``(C) Information technology.--The term `information 
     technology' has the meaning given the term in section 3502 of 
     title 44, United States Code.''.
       (b) Report.--Not later than 1 year after the date of 
     enactment of this Act, the Administrator of the Small 
     Business Administration shall, to the greatest extent 
     practicable, provide to the Committee on Small Business and 
     Entrepreneurship of the Senate, the Committee on Homeland 
     Security and Governmental Affairs of the Senate, the 
     Committee on Small Business of the House of Representatives, 
     and the Committee on Oversight and Reform of the House of 
     Representatives a detailed account of information technology 
     (as defined in section 3502 of title 44, United States Code) 
     of the Small Business Administration that was manufactured by 
     an entity that has its principal place of business located in 
     the People's Republic of China.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
New York (Ms. Velazquez) and the gentleman from Missouri (Mr. 
Luetkemeyer) each will control 20 minutes.
  The Chair recognizes the gentlewoman from New York.


                             General Leave

  Ms. VELAZQUEZ. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and include extraneous material on the measure under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from New York?
  There was no objection.
  Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, I thank all the members of the Small Business Committee 
for their hard work this Congress on behalf of our Nation's 32 million 
small business owners.
  These bills will help small firms in a number of areas: strengthen 
cybersecurity and broadband access, improve exporting, and enhance 
recovery assistance from natural disasters.
  They are the product of the bipartisan and bicameral work of the 
House and Senate Small Business Committees. I hope that we can come 
together today and approve these bills.
  First, we will consider H.R. 3462, the SBA Cyber Awareness Act, as 
amended and passed by the Senate. For more than 20 years, the SBA's IG 
has listed IT security as one of the most serious management and 
performance challenges for SBA. These vulnerabilities were exposed 
during the rollout of the SBA COVID-19 relief programs.
  The unprecedented demand for programs like PPP and the COVID EIDL 
overwhelmed the SBA's legacy system, leading to back-end crashes, slow 
portal operations, and a breach that exposed applicants' personal 
information. SBA failed to make any public announcement about the data 
breach, and it took weeks for the agency to send paper notifications to 
affected individuals.
  H.R. 3462 would require the SBA to assess its cybersecurity 
procedures and submit a cybersecurity report to Congress within 180 
days of passage and annually thereafter.
  SBA possesses sensitive information belonging to countless American 
small business owners. We must ensure this data is protected from bad 
actors in cyberspace.
  The Senate-passed version we are voting on today reinforces reporting 
requirements established by the Federal Information Security Management 
Act of 2002.
  I support the changes and thank the Senate for improving this 
legislation. I thank Mr. Crow of Colorado and Mrs. Kim of California 
for introducing and championing this bill. Their relentless efforts on 
this issue is why we are here today.
  Mr. Speaker, I urge my colleagues to support H.R. 3462, as amended by 
the Senate, and I reserve the balance of my time.
  Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may 
consume and rise in support of H.R. 3462, the SBA Cyber Awareness Act, 
as amended by the Senate.
  Cyberattacks are too common in today's world. They cost the U.S. 
economy billions of dollars each year and have the ability to harm and 
shut down small businesses, which often operate on the thinnest of 
margins.
  Any cyber intrusion on a small business creates great pain and 
uncertainty. H.R. 3462 takes important steps to enhance and support our 
small businesses and the Federal Government from bad actors.
  This bill strengthens cybersecurity operations at the Small Business 
Administration by requiring the agency to issue a report to Congress 
that assesses its ability to respond to cyber threats.
  Additionally, H.R. 3462 requires the SBA to assess its own 
cybersecurity framework and report on any incidents in a timely 
fashion.
  H.R. 3462 passed the House last year with a vote of 423-0, Mr. 
Speaker, and was recently approved by the Senate with an amendment to 
strengthen reporting requirements by focusing on supply chain and 
foreign technology risk.
  I thank the gentleman from Colorado (Mr. Crow), the gentlewoman from 
California (Mrs. Kim), and the gentleman from Nebraska (Mr. Flood) for 
working together to protect small businesses, as well as our Senate 
colleagues who worked on this bill. I also thank the chair for pushing 
this bill forward.
  I urge my colleagues to support the Senate amendment to H.R. 3462, 
and I reserve the balance of my time.
  Ms. VELAZQUEZ. Mr. Speaker, I yield 3 minutes to the gentleman from 
Colorado (Mr. Crow).
  Mr. CROW. Mr. Speaker, I rise today in support of H.R. 3462, the 
bipartisan SBA Cyber Awareness Act.
  The Small Business Administration supports small businesses in every 
corner of the country. With the support of Congress, the SBA has gone 
to bat for small businesses during the COVID-19 pandemic through relief 
programs like PPP and EIDL. Yet, year after year, the SBA's Office of 
Inspector General has found that IT security is one of the agency's 
most serious management and performance challenges.
  The pandemic highlighted the gaps in the agency's cybersecurity. As a 
result of high demand, a glitch in the EIDL application exposed the 
personal information of over 8,000 applicants.
  We need to bolster the SBA's cybersecurity so that the SBA can better 
protect small businesses' information and continue to help small 
businesses nationwide.
  My bill, the SBA Cyber Awareness Act, would direct the SBA to issue 
an annual report on the agency's cybersecurity strategy, as well as 
disclosure of recent threats and breaches. Under this bill, the SBA 
would also report on its supply chain risk management strategy and 
issue a plan to address the risks of foreign manufactured information 
technology used by the agency, including components originating from 
the People's Republic of China.
  This bill passed the Senate by unanimous consent, and a similar 
version passed the House of Representatives unopposed last year in 
November 2021.
  I thank the bill's Republican co-lead, Representative Young Kim, for 
her support, as well as Chairwoman Velazquez, Ranking Member 
Luetkemeyer, and the staff of the Small Business Committee, all of whom 
have been critical in advancing this measure.

  Mr. Speaker, I urge my colleagues to join me again in supporting this 
commonsense bill to support SBA cybersecurity.
  Mr. LUETKEMEYER. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, the threat of a cyberattack on a small business is 
constant. A cyber intrusion, no matter the magnitude, could have 
devastating and consequential impacts for the Nation's smallest 
businesses.
  We must ensure the agency charged with helping the Nation's over 33 
million small businesses is prepared. H.R. 3462 and the Senate's 
corresponding amendment do just that.
  Mr. Speaker, I encourage my colleagues to support the legislation 
before us today that will better protect the Federal Government and 
America's small businesses from cyberattack, and I yield back the 
balance of my time.
  Ms. VELAZQUEZ. Mr. Speaker, I yield myself the balance of my time.

[[Page H8738]]

  Mr. Speaker, the average cost of a data breach in the United States 
is over $9 million. For small businesses operating on razor-thin 
margins, an event like this can be catastrophic.
  Small businesses must be confident that SBA systems are fully 
operational and capable of protecting their sensitive data. H.R. 3462 
will go a long way toward rebuilding trust in the agency's IT 
infrastructure.
  I thank my colleagues, Mr. Crow of Colorado and Mrs. Kim of 
California, for their leadership on this issue.
  Mr. Speaker, I urge my colleagues to concur with the Senate amendment 
to the bill, H.R. 3462, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from New York (Ms. Velazquez) that the House suspend the 
rules and concur in the Senate amendment to the bill, H.R. 3462.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ROSENDALE. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________