[House Report 116-114]
[From the U.S. Government Publishing Office]


116th Congress   }                                     {        Report
                        HOUSE OF REPRESENTATIVES
 1st Session     }                                     {       116-114

======================================================================



 
                        SBA CYBER AWARENESS ACT

                                _______
                                

 June 13, 2019.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Ms. Velazquez, from the Committee on Small Business, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 2331]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Small Business, to whom was referred the 
bill (H.R. 2331) to require an annual report on the 
cybersecurity of the Small Business Administration, and for 
other purposes, having considered the same, report favorably 
thereon without amendment and recommend that the bill do pass.

                                CONTENTS

                                                                   Page
   I. Purpose and Bill Summary........................................1
  II. Background and Need for Legislation.............................2
 III. Hearings........................................................2
  IV. Committee Consideration.........................................2
   V. Committee Votes.................................................2
  VI. Section-by-Section Analysis for H.R. 2331.......................5
 VII. Congressional Budget Office Cost Estimate.......................5
VIII. Unfunded Mandates...............................................6
  IX. New Budget Authority, Entitlement Authority, and Tax Expenditures 6
   X. Oversight Findings..............................................6
  XI. Statement of Constitutional Authority...........................7
 XII. Congressional Accountability Act................................7
XIII. Federal Advisory Committee Act Statement........................7
 XIV. Statement of No Earmarks........................................7
  XV. Statement of Duplication of Federal Programs....................7
 XVI. Disclosure of Directed Rule Makings.............................7
XVII. Performance Goals and Objectives................................7
XVIII.Changes in Existing Law, Made by the Bill, As Reported..........7


                      I. Purpose and Bill Summary

    The purpose of H.R. 2331 is to amend the Small Business Act 
to require the Small Business Administrator (SBA) to issue 
annual reports assessing its IT and cybersecurity 
infrastructure and notify Congress and affected parties of 
cyber incidents when they occur.

                II. Background and Need for Legislation

    In June 2015, the U.S. Office of Personnel Management 
announced that it had been the target of a massive data breach 
affecting over 20 million people. The announcement raised 
awareness of the vulnerability of the federal government's IT 
infrastructure and brought about a bipartisan and bicameral 
letter to agencies requesting information on legacy IT 
systems.\1\ In May 2017, the Modernizing Government Technology 
Act of 2017 passed the House. The bill sought to establish two 
types of funds to retire vulnerable IT systems and address 
evolving cybersecurity threats.\2\ In the Fiscal Year 2019 
NDAA, Congress passed requirements for the Department of 
Defense to report cybersecurity breaches.\3\
---------------------------------------------------------------------------
    \1\See Letter from the Hon. Jason Chaffetz, Chairman, H. Comm. on 
Oversight & Gov't Reform, Hon. Ron Johnson, Chairman, S. Comm. on 
Homeland Security & Gov't Affairs, et. al, to federal agencies (Dec. 
22, 2015) (letter and agency responses on file with the Committee).
    \2\See H.R. 2227, See also National Defense Authorization Act for 
Fiscal Year 2018, Pub. L. No. 115-91, Sec. 1077, 131 Stat. 1283 (2017). 
(Congress enacted a section of the Fiscal Year 2018 NDAA titled the 
Modernizing Government Technology Act authorizing two types of funds to 
modernize the federal government's legacy IT.).
    \3\See John S. McCain National Defense Authorization Act for Fiscal 
Year 2019, Pub. L. No. 115-232, Sec. 1639, 132 Stat. 1636 (2018).
---------------------------------------------------------------------------
    Thousands of the nation's vulnerable small businesses share 
sensitive data with the Small Business Administration to apply 
for government support. In October 2018, the SBA's Office of 
Inspector General issued a report indicating that the SBA still 
required action to effectively modernize its IT 
infrastructure.\4\
---------------------------------------------------------------------------
    \4\See U.S. Small Bus. Admin., Office of the Inspector Gen., 19-01, 
Report on Most Serious Management and Performance Challenges Facing the 
Small Business Administration in Fiscal Year 2019 4 (2018). See also 
U.S. Small Bus. Admin., Office of the Inspector Gen., 18-01, Report on 
Most Serious Management and Performance Challenges Facing the Small 
Business Administration in Fiscal Year 2018 4 (2017).
---------------------------------------------------------------------------

                             III. Hearings

    While multiple hearings have been held by the Committee 
over the past few years exploring the cybersecurity challenges 
facing small firms, no specific hearings in the 116th Congress 
have been held to explore the reforms of SBA's cyber 
infrastructure. The legislation builds upon the Committee's 
work overseeing the SBA's Office of the Chief Information 
Officer that is responsible for modernizing and strengthening 
the Agency's information technology systems.

                      IV. Committee Consideration

    The Committee on Small Business met in open session, with a 
quorum being present, on May 1, 2019 and ordered H.R. 2331 
favorably reported to the House. During the markup, no 
amendments were offered.

                           V. Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto. The Committee voted by voice vote to favorably report 
H.R. 2331 to the House at 12:22 P.M.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                  VI. Section-by-Section of H.R. 2331


Section 1. Short title

    This Act may be cited as the ``SBA Cyber Awareness Act''.

Section 2. Cybersecurity awareness reporting

    This section amends Section 10 of the Small Business Act by 
adding a Cyber Security Reporting Requirement for the Small 
Business Administration. The section requires the Small 
Business Administrator to issue a report not later than 180 
days after the date of enactment of the subsection and every 
year thereafter including (1) an assessment of the SBA's IT and 
cybersecurity infrastructure, (2) its strategy to improve 
cybersecurity protections, (3) a detailed account of any 
information technology equipment of the SBA that was 
manufactured by an entity with a principal place of business in 
the People's Republic of China, and (4) a report of any cyber 
risk or incident occurring within the two years preceding the 
report and SBA's actions to remediate the cyber risk or 
incident.
    The Small Business Administrator is also instructed to 
notify the House and Senate small business committees within 7 
days, and within 30 days (1) notify the individuals and small 
business concerns affected by the cybersecurity risk or 
incident and (2) submit a report summarizing how the cyber risk 
or incident occurred and how many parties were affected.

             VII. Congressional Budget Office Cost Estimate

    The Congressional Budget Office pursuant to Sec. 402 of the 
Congressional Budget Act of 1974, submitted a cost estimate for 
H.R. 2331 that stated enacting the legislation would not 
increase net direct spending or on budget deficits in any of 
the four consecutive 10-year periods beginning in 2030.

                                     U.S. Congress,
                               Congressional Budget Office,
                                      Washington, DC, May 20, 2019.
Hon. Nydia M. Velazquez,
Chairwoman, Committee on Small Business,
House of Representatives, Washington, DC.
    Dear Madam Chairwoman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 2331, the SBA 
Cyber Awareness Act. If you wish further details on this 
estimate, we will be pleased to provide them. The CBO staff 
contact is David Hughes.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

H.R. 2331--SBA Cyber Awareness Act

    H.R. 2331 would require the Small Business Administration 
(SBA) to report annually to the Congress on the state of its 
information technology (IT) and cybersecurity systems, the 
methods it could use to improve cybersecurity, any IT equipment 
or systems it has that were produced by an entity doing 
business principally in China, and any recent cybersecurity 
risks or incidents and subsequent responses. H.R. 2331 would 
also require the SBA to report all cybersecurity risks or 
incidents to the Congress as they occur and to notify the 
individuals and small businesses affected.
    Under current law, the SBA is required to submit an annual 
performance report to the Congress that includes information 
concerning agency cybersecurity efforts. In addition, the 
Federal Information Security Modernization Act of 2014 requires 
federal agencies, including the SBA, to report on the 
effectiveness of their information security policies and 
practices each year. Although H.R. 2331 would impose new 
reporting requirements upon the SBA, the work required to 
fulfill most of those requirements would not be significant 
because the SBA already collects most of the information needed 
in those reports.
    On April 23, 2019, CBO transmitted a cost estimate for S. 
772, the SBA Cyber Awareness Act, as ordered by the Senate 
Committee on Small Business and Entrepreneurship on April 1, 
2019. The two bills are similar and CBO's estimates of their 
cost are the same.
    The CBO staff contact for this estimate is David Hughes. 
The estimate was reviewed by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

                        VIII. Unfunded Mandates

    H.R. 2331 contains no intergovernmental or private sector 
mandates as defined in the Unfunded Mandates Reform Act, Public 
Law No. 104-4, and would impose no costs on state, local, or 
tribal governments.

 IX. New Budget Authority, Entitlement Authority, and Tax Expenditures

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House, the Committee provides the following opinion and 
estimate with respect to new budget authority, entitlement 
authority, and tax expenditures. While the Committee has not 
received an estimate of new budget authority contained in the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to Sec. 402 of the Congressional Budget 
Act of 1974, the Committee does not believe that there will be 
any additional costs attributable to this legislation. H.R. 
2331 does not direct new spending, but instead reallocates 
funding independently authorized and appropriated.

                         X. Oversight Findings

    In accordance with clause 2(b)(1) of rule X of the Rules of 
the House, the oversight findings and recommendations of the 
Committee on Small Business with respect to the subject matter 
contained in H.R. 2331 are incorporated into the descriptive 
portions of this report.

               XI. Statement of Constitutional Authority

    Pursuant to clause 7 of rule XII of the Rules of the House 
of Representatives, the Committee finds the authority for this 
legislation in Art. I, Sec. 8, cl. 3 of the Constitution of the 
United States.

                 XII. Congressional Accountability Act

    H.R. 2331 does not relate to the terms and conditions of 
employment or access to public services or accommodations 
within the meaning of Sec. 102(b)(3) of Public Law No. 104-1.

             XIII. Federal Advisory Committee Act Statement

    H.R. 2331 does not establish or authorize the establishment 
of any new advisory committees as that term is defined in the 
Federal Advisory Committee Act, 5 U.S.C. App. 2.

                     XIV. Statement of No Earmarks

    Pursuant to clause 9 of rule XXI, H.R. 2331 does not 
contain any congressional earmarks, limited tax benefits, or 
limited tariff benefits as defined in subsections (d), (e), or 
(f) of clause 9 of rule XXI of the Rules of the House.

            XV. Statement of Duplication of Federal Programs

    Pursuant to clause 3 of rule XIII of the Rules of the 
House, no provision of H.R. 2331 establishes or reauthorizes a 
program of the federal government known to be duplicative of 
another federal program, a program that was included in any 
report from the United States Government Accountability Office 
pursuant to Sec. 21 of Pub. L. No. 111-139, or a program 
related to a program identified in the most recent catalog of 
federal domestic assistance.

                XVI. Disclosure of Directed Rulemakings

    Pursuant to clause 3 of rule XIII of the Rules of the 
House, H.R. 2331 does not direct any rulemaking.

                 XVII. Performance Goals and Objectives

    Pursuant to clause 3(c)(4) of rule XII of the Rules of the 
House, the Committee establishes the following performance-
related goals and objectives for this legislation:
    H.R. 2331 includes a number of provisions designed to 
improve the Small Business Administration's internal 
cybersecurity infrastructure and protect small businesses and 
other individuals impacted in the event that a cyber incident 
has occurred.

      XVIII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause (E) of rule XIII of the Rules of 
the House, changes in existing law made by the bill, as 
reported, are shown as follows: existing law proposed to be 
omitted is enclosed in black brackets, new matter is printed in 
italic, and existing law in which no change is proposed is 
shown in roman:

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italic and existing law in which no change is 
proposed is shown in roman):

                           SMALL BUSINESS ACT




           *       *       *       *       *       *       *
  Sec. 10. (a) The Administration shall, as soon as practicable 
each fiscal year make a comprehensive annual report to the 
President, the President of the Senate, the Senate Select 
Committee on Small Business, and the Speaker of the House of 
Representatives. Such report shall include a description of the 
state of small business in the Nation and the several States, 
and a description of the operations of the Administration under 
this chapter, including, but not limited to, the general 
lending, disaster relief, Government regulation relief, 
procurement and property disposal, research and development, 
technical assistance, dissemination of data and information, 
and other functions under the jurisdiction of the 
Administration during the previous fiscal year. Such report 
shall contain recommendations for strengthening or improving 
such programs, or, when necessary or desirable to implement 
more effectively congressional policies and proposals, for 
establishing new or alternative programs. In addition, such 
report shall include the names of the business concerns to whom 
contracts are let and for whom financing is arranged by the 
Administration, together with the amounts involved. With 
respect to minority small business concerns, the report shall 
include the proportion of loans and other assistance under this 
Act provided to such concerns, the goals of the Administration 
for the next fiscal year with respect to such concerns, and 
recommendations for improving assistance to minority small 
business concerns under this Act.
  (b) Cybersecurity Reports.--
          (1) Annual report.--Not later than 180 days after the 
        date of enactment of this subsection, and every year 
        thereafter, the Administrator shall submit a report to 
        the appropriate congressional committees that 
        includes--
                  (A) an assessment of the information 
                technology (as defined in section 11101 of 
                title 40, United States Code) and cybersecurity 
                infrastructure of the Administration;
                  (B) a strategy to increase the cy-ber-se-cu-
                ri-ty infrastructure of the Administration;
                  (C) a detailed account of any information 
                technology equipment or interconnected system 
                or subsystem of equipment of the Administration 
                that was manufactured by an entity that has its 
                principal place of business located in the 
                People's Republic of China; and
                  (D) an account of any cybersecurity risk or 
                incident that occurred at the Administration 
                during the 2-year period preceding the date on 
                which the report is submitted, and any action 
                taken by the Administrator to respond to or 
                remediate any such cybersecurity risk or 
                incident.
          (2) Additional reports.--If the Administrator 
        determines that there is a reasonable basis to conclude 
        that a cybersecurity risk or incident occurred at the 
        Administration, the Administrator shall--
                  (A) not later than 7 days after the date on 
                which the Administrator makes that 
                determination, notify the appropriate 
                congressional committees of the cybersecurity 
                risk or incident; and
                  (B) not later than 30 days after the date on 
                which the Administrator makes a determination 
                under subparagraph (A)--
                          (i) provide notice to individuals and 
                        small business concerns affected by the 
                        cybersecurity risk or incident; and
                          (ii) submit to the appropriate 
                        congressional committees a report, 
                        based on information available to the 
                        Administrator as of the date which the 
                        Administrator submits the report, that 
                        includes--
                                  (I) a summary of information 
                                about the cybersecurity risk or 
                                incident, including how the 
                                cybersecurity risk or incident 
                                occurred; and
                                  (II) an estimate of the 
                                number of individuals and small 
                                business concerns affected by 
                                the cybersecurity risk or 
                                incident, including an 
                                assessment of the risk of harm 
                                to affected individuals and 
                                small business concerns.
          (3) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements 
        of the Administrator under chapter 35 of title 44, 
        United States Code, in particular the requirement to 
        notify the Federal information security incident center 
        under section 3554(b)(7)(C)(ii) of such title, or any 
        other provision of law.
          (4) Definitions.--In this subsection:
                  (A) Appropriate congressional committees.--
                The term ``appropriate congressional 
                committees'' means--
                          (i) the Committee on Small Business 
                        and Entrepreneurship of the Senate; and
                          (ii) the Committee on Small Business 
                        of the House of Representatives.
                  (B) Cybersecurity risk; incident.--The terms 
                ``cybersecurity risk'' and ``incident'' have 
                the meanings given such terms, respectively, 
                under section 2209(a) of the Homeland Security 
                Act of 2002.
  (d) For the purpose of aiding in carrying out the national 
policy to insure that a fair proportion of the total purchases 
and contracts for property and services for the Government be 
placed with small business enterprises, and to maintain and 
strengthen the overall economy of the Nation, the Department of 
Defense shall make an annual report to the Committees on Small 
Business of the Senate and the House of Representatives, 
showing the amount of funds appropriated to the Department of 
Defense which have been expended, obligated, or contracted to 
be spent with small business concerns and the amount of such 
funds expended, obligated, or contracted to be spent with firms 
other than small business in the same fields of operation; and 
such reports shall show separately the funds expended, 
obligated, or contracted to be spent for basic and applied 
scientific research and development.
  (e) The Administration and the Inspector General of the 
Administration shall retain all correspondence, records of 
inquiries, memoranda, reports, books, and records, including 
memoranda as to all investigations conducted by or for the 
Administration, for a period of at least one year from the date 
of each thereof, and shall at all times keep the same available 
for inspection and examination by the Senate Select Committee 
on Small Business and the Committee on Small Business of the 
House of Representatives or their duly authorized 
representatives.
  (2) The Committee on Small Business of either the Senate or 
the House of Representatives may request that the Office of the 
Inspector General of the Administration conduct an 
investigation of any program or activity conducted under the 
authority of section 7(j) or 8(a). Not later than thirty days 
after the receipt of such a request, the Inspector General 
shall inform the committee, in writing, of the disposition of 
the request by such office.
  (f) To the extent deemed necessary by the Administrator to 
protect and preserve small-business interests, the 
Administration shall consult and cooperate with other 
departments and agencies of the Federal Government in the 
formulation by the Administration of policies affecting small-
business concerns. When requested by the Administrator, each 
department and agency of the Federal Government shall consult 
and cooperate with the Administration in the formulation by 
such department or agency of policies affecting small-business 
concerns, in order to insure that small-business interests will 
be recognized, protected, and preserved. This subsection shall 
not require any department or agency to consult or cooperate 
with the Administration in any case where the head of such 
department or agency determines that such consultation or 
cooperation would unduly delay action which must be taken by 
such department or agency to protect the national interest in 
an emergency.
  (g) The Administration shall transmit, not later than 
December 31 of each year, to the Senate Select Committee on 
Small Business and Committee on Small Business of the House of 
Representatives a sealed report with respect to--
          (1) complaints alleging illegal conduct by employees 
        of the Administration which were received or acted upon 
        by the Administration during the preceding fiscal year; 
        and
          (2) investigations undertaken by the Administration, 
        including external and internal audits and security and 
        investigation reports.
  (h) The Administration shall transmit, not later than March 
31 of each year, to the Committees on Small Business of the 
Senate and House of Representatives a report on the secondary 
market operations during the preceding calendar year. This 
report shall include, but not be limited to, (1) the number and 
the total dollar amount of loans sold into the secondary market 
and the distribution of such loans by size of loan, size of 
lender, geographic location of lender, interest rate, maturity, 
lender servicing fees, whether the rate is fixed or variable, 
and premium paid; (2) the number and dollar amount of loans 
resold in the secondary market with a distribution by size of 
loan, interest rate, and premiums; (3) the number and total 
dollar amount of pools formed; (4) the number and total dollar 
amount of loans in each pool; (5) the dollar amount, interest 
rate, and terms on each loan in each pool and whether the rate 
is fixed or variable; (6) the number, face value, interest 
rate, and terms of the trust certificates issued for each pool; 
(7) to the maximum extent possible, the use by the lender of 
the proceeds of sales of loans in the secondary market for 
additional lending to small business concerns; and (8) an 
analysis of the information reported in (1) through (7) to 
assess small businesses' access to capital at reasonable rates 
and terms as a result of secondary market operations.

           *       *       *       *       *       *       *


                                  [all]