[House Report 117-138]
[From the U.S. Government Publishing Office]
117th Congress } { Report
HOUSE OF REPRESENTATIVES
1st Session } { 117-138
======================================================================
SBA CYBER AWARENESS ACT
_______
October 12, 2021.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______
Ms. Velazquez, from the Committee on Small Business, submitted the
following
R E P O R T
[To accompany H.R. 3462]
The Committee on Small Business, to whom was referred the
bill (H.R. 3462) to require an annual report on the
cybersecurity of the Small Business Administration, and for
other purposes, having considered the same, reports favorably
thereon without amendment and recommends that the bill do pass.
CONTENTS
Page
I. Purpose and Bill Summary........................................2
II. Background and Need for Legislation.............................2
III. Hearings........................................................3
IV. Committee Consideration.........................................4
V. Committee Votes.................................................4
VI. Section-by-Section Analysis for H.R. 3462......................4
VII. Congressional Budget Cost Estimate..............................4
VIII. New Budget Authority, Entitlement Authority, and Tax
Expenditures....................................................5
IX. Committee Oversight Findings and Recommendations................5
X. Statement of General Performance Goals and Objectives...........5
XI. Duplication of Federal Programs................................5
XII. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits........................................................5
XIII. Federal Mandates Statement......................................5
XIV. Federal Advisory Committee Statement............................6
XV. Applicability to Legislative Branch.............................6
XVI. Constitutional Authority Statement.............................6
XVII. Changes in Existing Law Made by the Bill, as Reported..........6
I. Purpose and Bill Summary
The purpose of H.R. 3462, the ``SBA Cyber Awareness Act'',
is to amend the Small Business Act (the Act)\1\ to require the
Small Business Administrator (SBA) to issue annual reports
assessing its information technology (IT) and cybersecurity
infrastructure and notify Congress and affected parties of
cyber incidents when they occur. Specifically, the bill would
require SBA to issue annual reports, which must include the
following information: (1) an assessment of SBA's IT and
cybersecurity infrastructure; (2) its strategy to improve
cybersecurity protections; (3) a detailed account of any IT
equipment of SBA that was manufactured by an entity with a
principal place of business in the People's Republic of China;
and 4) an account of any cybersecurity risk or incident
occurring within the two years preceding the date the report is
submitted, and SBA's actions to remediate the cybersecurity
risk or incident.
---------------------------------------------------------------------------
\1\Originally, title II of the Act of July 30, 1953, 67 Stat. 232,
was designated as the Small Business Act of 1953. A plethora of
amendments in subsequent Congresses led to a rewrite in 1958. Pub. L.
No. 85-536, Sec. 1, 72 Stat. 384 (1958). The Act is codified at 15
U.S.C. Sec. 631-657s.
---------------------------------------------------------------------------
In addition, if a cybersecurity risk or incident occurred,
SBA is instructed to notify the House and Senate small business
committees (committees) within 7 days. And within 30 days
notify the individuals and small business concerns affected by
the cybersecurity risk or incident, and submit a report
summarizing how the cybersecurity risk or incident occurred and
how many parties were affected to the committees.
II. Background and Need for Legislation
In June 2015, the U.S. Office of Personnel Management
announced that it had been the target of a massive data breach
affecting over 20 million people. The announcement raised
awareness of the vulnerability of the federal government's IT
infrastructure and brought about a bipartisan and bicameral
letter to agencies requesting information on legacy IT
systems.\2\ In May 2017, the Modernizing Government Technology
Act of 2017 passed the House of Representatives and was later
enacted through the Fiscal Year 2018 National Defense
Authorization Act (NDAA). The bill sought to establish two
types of funds to retire vulnerable IT systems and address
evolving cybersecurity threats.\3\ In the Fiscal Year 2019
NDAA, Congress passed requirements for the Department of
Defense to report cybersecurity breaches.\4\
---------------------------------------------------------------------------
\2\Letter from the Hon. Jason Chaffetz, Chairman, H. Comm. on
Oversight & Gov't Reform, Hon. Ron Johnson, Chairman, S. Comm. on
Homeland Security & Gov't Affairs, et. al, to federal agencies (Dec.
22, 2015) (letter and agency responses on file with the Committee).
\3\National Defense Authorization Act for Fiscal Year 2018, Pub. L.
No. 115-91, Sec. 1077, 131 Stat. 1283 (2017). (Congress enacted a
section of the Fiscal Year 2018 NDAA titled the Modernizing Government
Technology Act authorizing two types of funds to modernize the federal
government's legacy IT.).
\4\John S. McCain National Defense Authorization Act for Fiscal
Year 2019, Pub. L. No. 115-232, Sec. 1639, 132 Stat. 1636 (2018).
---------------------------------------------------------------------------
For more than twenty years, SBA's Office of Inspector
General (OIG) has listed IT security as a one of the most
serious management and performance challenges facing the
SBA.\5\ In the Fiscal Year 2020 management challenges report,
the OIG found that the agency continued to face significant
risks in deploying IT and cybersecurity controls.\6\ These
vulnerabilities were exposed by the rollout of the SBA's COVID
19 relief programs. The unprecedented demand for the SBA's
relief programs--the Economic Injury Disaster Loan Program
(EIDL program) and the Paycheck Protection Program (PPP)--
inundated SBA's legacy systems, leading to backend system
crashes, portals operating slowly, and a glitch that led to a
data breach of applicants' personal information.
---------------------------------------------------------------------------
\5\For the most recent report, see U.S. Small Bus. Admin., Office
of the Inspector Gen., 21-01, Report on Most Serious Management and
Performance Challenges Facing the Small Business Administration in
Fiscal Year 2021 (Oct. 16, 2020).
\6\Id.
---------------------------------------------------------------------------
On March 25, 2020, SBA detected a vulnerability in their
EIDL application. They discovered that applicants' personally
identifiable information (PII) was accidentally disclosed to
other applicants. On April 13, 2020, SBA sent a letter to the
potentially affected individuals. According to SBA, almost
8,000 small businesses who applied for loans through the EIDL
program may have had their information exposed during the data
breach.\7\ PII that could have been divulged included email
addresses, citizenship status, insurance information, birth
dates, phone numbers, addresses, and Social Security Numbers.
---------------------------------------------------------------------------
\7\PYMNTS, SBA May Have Exposed Data Of 8,000 SMBs Seeking Relief
Loans, (April 22, 2020) https://www.pymnts.com/news/security-and-risk/
2020/sba-may-have-exposed-data-of-8000-smbs-seeking-relief-loans/.
---------------------------------------------------------------------------
After the data breach, version 2.0 of the EIDL program
portal was created to fix the vulnerability that allowed for
the breach. Businesses were directed to complete the
application and upload scanned documents. Later, new guidance
stated that SBA no longer needed the scanned documents and it
advised businesses who had applied under version 2.0 and were
not assigned a lending officer to reapply under the Rapid
Portal. These applicants lost their place in the queue and were
told to reapply once the EIDL program portal reopened.
Shortly after the launch of the PPP portal, the E-Tran
system, SBA's loan guarantee origination and servicing
solution,\8\ was inundated by applicants causing it to go
offline for as long as four hours, which caused applicants and
lenders to lose their place in the queue and halted their
ability to submit applications to E-Tran. The E-Tran system
crashed a second time on April 27, 2020 upon the reopening of
the PPP portal. These crashes cause concern about the backend
capacity of the E-Tran system, the system not only crashed, but
it also processed applications at a very slow rate.
---------------------------------------------------------------------------
\8\U.S. Small Bus. Admin., E-Tran Electronic Loan Processing,
(2014) https://www.sba.gov/sites/default/files/articles/
ETran_Origination_01_2014.pdf.
---------------------------------------------------------------------------
This legislation would create new layers of Congressional
oversight that will regularly assess SBA's IT and cybersecurity
systems and controls and ensurE-Transparency during future IT
and cybersecurity incidents. H.R. 3462 was introduced by Reps.
Jason Crow (D-CO) and Young Kim (R-CA) on May 21, 2021. The
previous iteration of this bill, H.R. 2331, was introduced in
the 116th Congress by Rep. Crow (D-CO) on March 18, 2019. The
bill was approved by voice vote by the House on July 15, 2019.
III. Hearings
The committee hearing ``Strengthening the Cybersecurity
Posture of America's Small Business Community,'' held on July
20, 2021, evaluated the resources, training, and technical
assistance needed to reduce small business cybersecurity
vulnerabilities. Members and witnesses discussed how SBA could
play a larger role facilitating collaboration and information
sharing between Federal agencies and the private sector, and
the specific importance of strengthening SBA's internal IT and
cybersecurity systems.
In the 116th Congress, the Committee examined SBA's IT
infrastructure and technology systems and performed routine
oversight of their performance during the coronavirus pandemic.
On July 22, 2020, the Subcommittee on Investigations,
Oversight, and Regulations met for a hearing titled ``21st
Century SBA: An Analysis of SBA's Technology Systems.'' The
witness for the hearing was SBA's Chief Information Officer,
Guy Cavallo. On September 24, 2020, the Subcommittee on
Innovation and Workforce Development met for a hearing titled
``Paycheck Protection Program: An Examination of Loan
Forgiveness, SBA Legacy Systems, and Inaccurate Data.'' The
witness for the hearing was William Manger, the Chief of Staff
of SBA, and the Associate Administrator of the SBA Office of
Capitol Access.
IV. Committee Consideration
The Committee on Small Business met in open session, with a
quorum being present, on July 29, 2021 and ordered H.R. 3462
favorably reported to the House of Representatives. During the
markup, no amendments were offered.
V. Committee Votes
Clause 3(b) of rule XIII of the Rules of the House of
Representatives requires the Committee to list the recorded
votes on the motion to report legislation and amendments
thereto. The Committee voted by voice vote to favorably report
H.R. 3462 to the House of Representatives at 10:47 a.m.
VI. Section-by-Section Analysis FOR H.R. 3462
Section 1. Short title
This Act may be cited as the ``SBA Cyber Awareness Act''.
Section 2. Cybersecurity Awareness Reporting
This section amends Section 10 of the Small Business Act
(15 U.S.C. Sec. 639) by inserting subsection (b)
``Cybersecurity Reports.'' SBA is required to submit an annual
report on the cybersecurity of the Administration to the House
Small Business Committee and the Senate Small Businesses and
Entrepreneurship Committee. In the event of a cybersecurity
risk or incident, the SBA is required to alert the Committees
no later than seven days after the event and submit a report
within thirty days. The SBA is also required to provide notice
to affected individuals and small business concerns within
thirty days.
VII. Congressional Budget Cost Estimate
Pursuant to 3(c)(2) of rule XIII of the Rules of the House
of Representatives, the Committee adopts as its as its own the
cost estimate prepared by the Director of the Congressional
Budget Office pursuant to section 402 of the Congressional
Budget Act of 1974. The Committee has requested but not
received from the Director of the Congressional Budget Office a
cost estimate for the Committee's provisions.
VIII. New Budget Authority, Entitlement Authority, and Tax Expenditures
Pursuant to clause 3(c)(2) of rule XIII of the Rules of the
House of Representatives and section 308(a) of the
Congressional Budget Act of 1974, the Committee provides the
following opinion and estimate with respect to new budget
authority, entitlement authority, and tax expenditures. While
the Committee has not received an estimate of new budget
authority contained in the cost estimate prepared by the
Director of the Congressional Budget Office pursuant to Sec.
402 of the Congressional Budget Act of 1974, the Committee does
not believe that there will be any additional costs
attributable to this legislation. H.R. 3462 does not direct new
spending, but instead reallocates funding independently
authorized and appropriated.
IX. Committee Oversight Findings and Recommendations
In accordance with clause 3(c)(1) of rule XIII and clause
2(b)(1) of rule X of the Rules of the House of Representatives,
the oversight findings and recommendations of the Committee on
Small Business with respect to the subject matter contained in
the H.R. 3462 are incorporated into the descriptive portions of
this report.
X. Statement of General Performance Goals and Objectives
With respect to the requirements of clause 3(c)(4) of rule
XIII of the Rules of the House of Representatives, the
performance goals and objectives of H.R. 3462 is to improve the
SBA's internal cybersecurity infrastructure and protect small
businesses and other individuals impacted in the event that a
cyber incident has occurred.
XI. Duplication of Federal Programs
Pursuant to clause 3(c)(5) of rule XIII of the Rules of the
House of Representatives, no provision of H.R. 3462 is known to
be duplicative of another Federal program, including any
program that was included in a report to Congress pursuant to
section 21 of Public Law 111-139 or the most recent Catalog of
Federal Domestic Assistance.
XII. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff
Benefits
With respect to clause 9 of rule XXI of the Rules of the
House of Representatives, the Committee finds that the bill
does not contain any congressional earmarks, limited tax
benefits, or limited tariff benefits as defined in clause 9(e),
9(f), or 9(g) of rule XXI of the Rules of the House of
Representatives.
XIII. Federal Mandates Statement
The Committee adopts as its own the estimate of Federal
mandates prepared by the Director of the Congressional Budget
Office pursuant to section 423 of the Unfunded Mandates Reform
Act.
XIV. Federal Advisory Committee Statement
No advisory committees within the meaning of section 5(b)
of the Federal Advisory Committee Act were created by this
legislation.
XV. Applicability to Legislative Branch
The Committee finds that the legislation does not relate to
the terms and conditions of employment or access to public
services or accommodations within the meaning of section
102(b)(3) of the Congressional Accountability Act.
XVI. Constitutional Authority Statement
Pursuant to clause 7 of rule XII of the Rules of the House
of Representatives, the Committee finds the authority for this
legislation in Art. I, Sec. 8, cl. 1 of the Constitution of the
United States.
XVII. Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, as shown as follows: existing law
proposed to be omitted is enclosed in black brackets, new
matter is printed in italic, and existing law in which no
change is proposed is shown in roman:
Changes in Existing Law Made by the Bill, as Reported
In compliance with clause 3(e) of rule XIII of the Rules of
the House of Representatives, changes in existing law made by
the bill, as reported, are shown as follows (new matter is
printed in italics and existing law in which no change is
proposed is shown in roman):
SMALL BUSINESS ACT
* * * * * * *
Sec. 10. (a) The Administration shall, as soon as practicable
each fiscal year make a comprehensive annual report to the
President, the President of the Senate, the Senate Select
Committee on Small Business, and the Speaker of the House of
Representatives. Such report shall include a description of the
state of small business in the Nation and the several States,
and a description of the operations of the Administration under
this chapter, including, but not limited to, the general
lending, disaster relief, Government regulation relief,
procurement and property disposal, research and development,
technical assistance, dissemination of data and information,
and other functions under the jurisdiction of the
Administration during the previous fiscal year. Such report
shall contain recommendations for strengthening or improving
such programs, or, when necessary or desirable to implement
more effectively congressional policies and proposals, for
establishing new or alternative programs. In addition, such
report shall include the names of the business concerns to whom
contracts are let and for whom financing is arranged by the
Administration, together with the amounts involved. With
respect to minority small business concerns, the report shall
include the proportion of loans and other assistance under this
Act provided to such concerns, the goals of the Administration
for the next fiscal year with respect to such concerns, and
recommendations for improving assistance to minority small
business concerns under this Act.
(b) Cybersecurity Reports.--
(1) Annual report.--Not later than 180 days after the
date of enactment of this subsection, and every year
thereafter, the Administrator shall submit a report to
the appropriate congressional committees that
includes--
(A) an assessment of the information
technology (as defined in section 11101 of
title 40, United States Code) and cybersecurity
infrastructure of the Administration;
(B) a strategy to increase the cybersecurity
infrastructure of the Administration;
(C) a detailed account of any information
technology equipment or interconnected system
or subsystem of equipment of the Administration
that was manufactured by an entity that has its
principal place of business located in the
People's Republic of China; and
(D) an account of any cybersecurity risk or
incident that occurred at the Administration
during the 2-year period preceding the date on
which the report is submitted, and any action
taken by the Administrator to respond to or
remediate any such cybersecurity risk or
incident.
(2) Additional reports.--If the Administrator
determines that there is a reasonable basis to conclude
that a cybersecurity risk or incident occurred at the
Administration, the Administrator shall--
(A) not later than 7 days after the date on
which the Administrator makes that
determination, notify the appropriate
congressional committees of the cybersecurity
risk or incident; and
(B) not later than 30 days after the date on
which the Administrator makes a determination
under subparagraph (A)--
(i) provide notice to individuals and
small business concerns affected by the
cybersecurity risk or incident; and
(ii) submit to the appropriate
congressional committees a report,
based on information available to the
Administrator as of the date which the
Administrator submits the report, that
includes--
(I) a summary of information
about the cybersecurity risk or
incident, including how the
cybersecurity risk or incident
occurred; and
(II) an estimate of the
number of individuals and small
business concerns affected by
the cybersecurity risk or
incident, including an
assessment of the risk of harm
to affected individuals and
small business concerns.
(3) Rule of construction.--Nothing in this subsection
shall be construed to affect the reporting requirements
of the Administrator under chapter 35 of title 44,
United States Code, in particular the requirement to
notify the Federal information security incident center
under section 3554(b)(7)(C)(ii) of such title, or any
other provision of law.
(4) Definitions.--In this subsection:
(A) Appropriate congressional committees.--
The term ``appropriate congressional
committees'' means--
(i) the Committee on Small Business
and Entrepreneurship of the Senate; and
(ii) the Committee on Small Business
of the House of Representatives.
(B) Cybersecurity risk; incident.--The terms
``cybersecurity risk'' and ``incident'' have
the meanings given such terms, respectively,
under section 2209(a) of the Homeland Security
Act of 2002.
(d) For the purpose of aiding in carrying out the national
policy to insure that a fair proportion of the total purchases
and contracts for property and services for the Government be
placed with small business enterprises, and to maintain and
strengthen the overall economy of the Nation, the Department of
Defense shall make an annual report to the Committees on Small
Business of the Senate and the House of Representatives,
showing the amount of funds appropriated to the Department of
Defense which have been expended, obligated, or contracted to
be spent with small business concerns and the amount of such
funds expended, obligated, or contracted to be spent with firms
other than small business in the same fields of operation; and
such reports shall show separately the funds expended,
obligated, or contracted to be spent for basic and applied
scientific research and development.
(e) The Administration and the Inspector General of the
Administration shall retain all correspondence, records of
inquiries, memoranda, reports, books, and records, including
memoranda as to all investigations conducted by or for the
Administration, for a period of at least one year from the date
of each thereof, and shall at all times keep the same available
for inspection and examination by the Senate Select Committee
on Small Business and the Committee on Small Business of the
House of Representatives or their duly authorized
representatives.
(2) The Committee on Small Business of either the Senate or
the House of Representatives may request that the Office of the
Inspector General of the Administration conduct an
investigation of any program or activity conducted under the
authority of section 7(j) or 8(a). Not later than thirty days
after the receipt of such a request, the Inspector General
shall inform the committee, in writing, of the disposition of
the request by such office.
(f) To the extent deemed necessary by the Administrator to
protect and preserve small-business interests, the
Administration shall consult and cooperate with other
departments and agencies of the Federal Government in the
formulation by the Administration of policies affecting small-
business concerns. When requested by the Administrator, each
department and agency of the Federal Government shall consult
and cooperate with the Administration in the formulation by
such department or agency of policies affecting small-business
concerns, in order to insure that small-business interests will
be recognized, protected, and preserved. This subsection shall
not require any department or agency to consult or cooperate
with the Administration in any case where the head of such
department or agency determines that such consultation or
cooperation would unduly delay action which must be taken by
such department or agency to protect the national interest in
an emergency.
(g) The Administration shall transmit, not later than
December 31 of each year, to the Senate Select Committee on
Small Business and Committee on Small Business of the House of
Representatives a sealed report with respect to--
(1) complaints alleging illegal conduct by employees
of the Administration which were received or acted upon
by the Administration during the preceding fiscal year;
and
(2) investigations undertaken by the Administration,
including external and internal audits and security and
investigation reports.
(h) The Administration shall transmit, not later than March
31 of each year, to the Committees on Small Business of the
Senate and House of Representatives a report on the secondary
market operations during the preceding calendar year. This
report shall include, but not be limited to, (1) the number and
the total dollar amount of loans sold into the secondary market
and the distribution of such loans by size of loan, size of
lender, geographic location of lender, interest rate, maturity,
lender servicing fees, whether the rate is fixed or variable,
and premium paid; (2) the number and dollar amount of loans
resold in the secondary market with a distribution by size of
loan, interest rate, and premiums; (3) the number and total
dollar amount of pools formed; (4) the number and total dollar
amount of loans in each pool; (5) the dollar amount, interest
rate, and terms on each loan in each pool and whether the rate
is fixed or variable; (6) the number, face value, interest
rate, and terms of the trust certificates issued for each pool;
(7) to the maximum extent possible, the use by the lender of
the proceeds of sales of loans in the secondary market for
additional lending to small business concerns; and (8) an
analysis of the information reported in (1) through (7) to
assess small businesses' access to capital at reasonable rates
and terms as a result of secondary market operations.
* * * * * * *
[all]