[House Report 117-138]
[From the U.S. Government Publishing Office]


117th Congress    }                                    {      Report
                        HOUSE OF REPRESENTATIVES
 1st Session      }                                    {      117-138

======================================================================



 
                        SBA CYBER AWARENESS ACT

                                _______
                                

October 12, 2021.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed

                                _______
                                

  Ms. Velazquez, from the Committee on Small Business, submitted the 
                               following

                              R E P O R T

                        [To accompany H.R. 3462]

    The Committee on Small Business, to whom was referred the 
bill (H.R. 3462) to require an annual report on the 
cybersecurity of the Small Business Administration, and for 
other purposes, having considered the same, reports favorably 
thereon without amendment and recommends that the bill do pass.

                                CONTENTS

                                                                   Page
   I. Purpose and Bill Summary........................................2
  II. Background and Need for Legislation.............................2
 III. Hearings........................................................3
  IV. Committee Consideration.........................................4
   V. Committee Votes.................................................4
  VI.  Section-by-Section Analysis for H.R. 3462......................4
 VII. Congressional Budget Cost Estimate..............................4
VIII.  New Budget Authority, Entitlement Authority, and Tax 
      Expenditures....................................................5
  IX. Committee Oversight Findings and Recommendations................5
   X. Statement of General Performance Goals and Objectives...........5
  XI.  Duplication of Federal Programs................................5
 XII.  Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
      Benefits........................................................5
XIII. Federal Mandates Statement......................................5
 XIV. Federal Advisory Committee Statement............................6
  XV. Applicability to Legislative Branch.............................6
 XVI.  Constitutional Authority Statement.............................6
XVII.  Changes in Existing Law Made by the Bill, as Reported..........6

                      I. Purpose and Bill Summary

    The purpose of H.R. 3462, the ``SBA Cyber Awareness Act'', 
is to amend the Small Business Act (the Act)\1\ to require the 
Small Business Administrator (SBA) to issue annual reports 
assessing its information technology (IT) and cybersecurity 
infrastructure and notify Congress and affected parties of 
cyber incidents when they occur. Specifically, the bill would 
require SBA to issue annual reports, which must include the 
following information: (1) an assessment of SBA's IT and 
cybersecurity infrastructure; (2) its strategy to improve 
cybersecurity protections; (3) a detailed account of any IT 
equipment of SBA that was manufactured by an entity with a 
principal place of business in the People's Republic of China; 
and 4) an account of any cybersecurity risk or incident 
occurring within the two years preceding the date the report is 
submitted, and SBA's actions to remediate the cybersecurity 
risk or incident.
---------------------------------------------------------------------------
    \1\Originally, title II of the Act of July 30, 1953, 67 Stat. 232, 
was designated as the Small Business Act of 1953. A plethora of 
amendments in subsequent Congresses led to a rewrite in 1958. Pub. L. 
No. 85-536, Sec. 1, 72 Stat. 384 (1958). The Act is codified at 15 
U.S.C. Sec. 631-657s.
---------------------------------------------------------------------------
    In addition, if a cybersecurity risk or incident occurred, 
SBA is instructed to notify the House and Senate small business 
committees (committees) within 7 days. And within 30 days 
notify the individuals and small business concerns affected by 
the cybersecurity risk or incident, and submit a report 
summarizing how the cybersecurity risk or incident occurred and 
how many parties were affected to the committees.

                II. Background and Need for Legislation

    In June 2015, the U.S. Office of Personnel Management 
announced that it had been the target of a massive data breach 
affecting over 20 million people. The announcement raised 
awareness of the vulnerability of the federal government's IT 
infrastructure and brought about a bipartisan and bicameral 
letter to agencies requesting information on legacy IT 
systems.\2\ In May 2017, the Modernizing Government Technology 
Act of 2017 passed the House of Representatives and was later 
enacted through the Fiscal Year 2018 National Defense 
Authorization Act (NDAA). The bill sought to establish two 
types of funds to retire vulnerable IT systems and address 
evolving cybersecurity threats.\3\ In the Fiscal Year 2019 
NDAA, Congress passed requirements for the Department of 
Defense to report cybersecurity breaches.\4\
---------------------------------------------------------------------------
    \2\Letter from the Hon. Jason Chaffetz, Chairman, H. Comm. on 
Oversight & Gov't Reform, Hon. Ron Johnson, Chairman, S. Comm. on 
Homeland Security & Gov't Affairs, et. al, to federal agencies (Dec. 
22, 2015) (letter and agency responses on file with the Committee).
    \3\National Defense Authorization Act for Fiscal Year 2018, Pub. L. 
No. 115-91, Sec. 1077, 131 Stat. 1283 (2017). (Congress enacted a 
section of the Fiscal Year 2018 NDAA titled the Modernizing Government 
Technology Act authorizing two types of funds to modernize the federal 
government's legacy IT.).
    \4\John S. McCain National Defense Authorization Act for Fiscal 
Year 2019, Pub. L. No. 115-232, Sec. 1639, 132 Stat. 1636 (2018).
---------------------------------------------------------------------------
    For more than twenty years, SBA's Office of Inspector 
General (OIG) has listed IT security as a one of the most 
serious management and performance challenges facing the 
SBA.\5\ In the Fiscal Year 2020 management challenges report, 
the OIG found that the agency continued to face significant 
risks in deploying IT and cybersecurity controls.\6\ These 
vulnerabilities were exposed by the rollout of the SBA's COVID 
19 relief programs. The unprecedented demand for the SBA's 
relief programs--the Economic Injury Disaster Loan Program 
(EIDL program) and the Paycheck Protection Program (PPP)--
inundated SBA's legacy systems, leading to backend system 
crashes, portals operating slowly, and a glitch that led to a 
data breach of applicants' personal information.
---------------------------------------------------------------------------
    \5\For the most recent report, see U.S. Small Bus. Admin., Office 
of the Inspector Gen., 21-01, Report on Most Serious Management and 
Performance Challenges Facing the Small Business Administration in 
Fiscal Year 2021 (Oct. 16, 2020).
    \6\Id.
---------------------------------------------------------------------------
    On March 25, 2020, SBA detected a vulnerability in their 
EIDL application. They discovered that applicants' personally 
identifiable information (PII) was accidentally disclosed to 
other applicants. On April 13, 2020, SBA sent a letter to the 
potentially affected individuals. According to SBA, almost 
8,000 small businesses who applied for loans through the EIDL 
program may have had their information exposed during the data 
breach.\7\ PII that could have been divulged included email 
addresses, citizenship status, insurance information, birth 
dates, phone numbers, addresses, and Social Security Numbers.
---------------------------------------------------------------------------
    \7\PYMNTS, SBA May Have Exposed Data Of 8,000 SMBs Seeking Relief 
Loans, (April 22, 2020) https://www.pymnts.com/news/security-and-risk/
2020/sba-may-have-exposed-data-of-8000-smbs-seeking-relief-loans/.
---------------------------------------------------------------------------
    After the data breach, version 2.0 of the EIDL program 
portal was created to fix the vulnerability that allowed for 
the breach. Businesses were directed to complete the 
application and upload scanned documents. Later, new guidance 
stated that SBA no longer needed the scanned documents and it 
advised businesses who had applied under version 2.0 and were 
not assigned a lending officer to reapply under the Rapid 
Portal. These applicants lost their place in the queue and were 
told to reapply once the EIDL program portal reopened.
    Shortly after the launch of the PPP portal, the E-Tran 
system, SBA's loan guarantee origination and servicing 
solution,\8\ was inundated by applicants causing it to go 
offline for as long as four hours, which caused applicants and 
lenders to lose their place in the queue and halted their 
ability to submit applications to E-Tran. The E-Tran system 
crashed a second time on April 27, 2020 upon the reopening of 
the PPP portal. These crashes cause concern about the backend 
capacity of the E-Tran system, the system not only crashed, but 
it also processed applications at a very slow rate.
---------------------------------------------------------------------------
    \8\U.S. Small Bus. Admin., E-Tran Electronic Loan Processing, 
(2014) https://www.sba.gov/sites/default/files/articles/
ETran_Origination_01_2014.pdf.
---------------------------------------------------------------------------
    This legislation would create new layers of Congressional 
oversight that will regularly assess SBA's IT and cybersecurity 
systems and controls and ensurE-Transparency during future IT 
and cybersecurity incidents. H.R. 3462 was introduced by Reps. 
Jason Crow (D-CO) and Young Kim (R-CA) on May 21, 2021. The 
previous iteration of this bill, H.R. 2331, was introduced in 
the 116th Congress by Rep. Crow (D-CO) on March 18, 2019. The 
bill was approved by voice vote by the House on July 15, 2019.

                             III. Hearings

    The committee hearing ``Strengthening the Cybersecurity 
Posture of America's Small Business Community,'' held on July 
20, 2021, evaluated the resources, training, and technical 
assistance needed to reduce small business cybersecurity 
vulnerabilities. Members and witnesses discussed how SBA could 
play a larger role facilitating collaboration and information 
sharing between Federal agencies and the private sector, and 
the specific importance of strengthening SBA's internal IT and 
cybersecurity systems.
    In the 116th Congress, the Committee examined SBA's IT 
infrastructure and technology systems and performed routine 
oversight of their performance during the coronavirus pandemic. 
On July 22, 2020, the Subcommittee on Investigations, 
Oversight, and Regulations met for a hearing titled ``21st 
Century SBA: An Analysis of SBA's Technology Systems.'' The 
witness for the hearing was SBA's Chief Information Officer, 
Guy Cavallo. On September 24, 2020, the Subcommittee on 
Innovation and Workforce Development met for a hearing titled 
``Paycheck Protection Program: An Examination of Loan 
Forgiveness, SBA Legacy Systems, and Inaccurate Data.'' The 
witness for the hearing was William Manger, the Chief of Staff 
of SBA, and the Associate Administrator of the SBA Office of 
Capitol Access.

                      IV. Committee Consideration

    The Committee on Small Business met in open session, with a 
quorum being present, on July 29, 2021 and ordered H.R. 3462 
favorably reported to the House of Representatives. During the 
markup, no amendments were offered.

                           V. Committee Votes

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto. The Committee voted by voice vote to favorably report 
H.R. 3462 to the House of Representatives at 10:47 a.m.

             VI. Section-by-Section Analysis FOR H.R. 3462


Section 1. Short title

    This Act may be cited as the ``SBA Cyber Awareness Act''.

Section 2. Cybersecurity Awareness Reporting

    This section amends Section 10 of the Small Business Act 
(15 U.S.C. Sec. 639) by inserting subsection (b) 
``Cybersecurity Reports.'' SBA is required to submit an annual 
report on the cybersecurity of the Administration to the House 
Small Business Committee and the Senate Small Businesses and 
Entrepreneurship Committee. In the event of a cybersecurity 
risk or incident, the SBA is required to alert the Committees 
no later than seven days after the event and submit a report 
within thirty days. The SBA is also required to provide notice 
to affected individuals and small business concerns within 
thirty days.

                VII. Congressional Budget Cost Estimate

    Pursuant to 3(c)(2) of rule XIII of the Rules of the House 
of Representatives, the Committee adopts as its as its own the 
cost estimate prepared by the Director of the Congressional 
Budget Office pursuant to section 402 of the Congressional 
Budget Act of 1974. The Committee has requested but not 
received from the Director of the Congressional Budget Office a 
cost estimate for the Committee's provisions.

VIII. New Budget Authority, Entitlement Authority, and Tax Expenditures

    Pursuant to clause 3(c)(2) of rule XIII of the Rules of the 
House of Representatives and section 308(a) of the 
Congressional Budget Act of 1974, the Committee provides the 
following opinion and estimate with respect to new budget 
authority, entitlement authority, and tax expenditures. While 
the Committee has not received an estimate of new budget 
authority contained in the cost estimate prepared by the 
Director of the Congressional Budget Office pursuant to Sec. 
402 of the Congressional Budget Act of 1974, the Committee does 
not believe that there will be any additional costs 
attributable to this legislation. H.R. 3462 does not direct new 
spending, but instead reallocates funding independently 
authorized and appropriated.

          IX. Committee Oversight Findings and Recommendations

    In accordance with clause 3(c)(1) of rule XIII and clause 
2(b)(1) of rule X of the Rules of the House of Representatives, 
the oversight findings and recommendations of the Committee on 
Small Business with respect to the subject matter contained in 
the H.R. 3462 are incorporated into the descriptive portions of 
this report.

        X. Statement of General Performance Goals and Objectives

    With respect to the requirements of clause 3(c)(4) of rule 
XIII of the Rules of the House of Representatives, the 
performance goals and objectives of H.R. 3462 is to improve the 
SBA's internal cybersecurity infrastructure and protect small 
businesses and other individuals impacted in the event that a 
cyber incident has occurred.

                  XI. Duplication of Federal Programs

    Pursuant to clause 3(c)(5) of rule XIII of the Rules of the 
House of Representatives, no provision of H.R. 3462 is known to 
be duplicative of another Federal program, including any 
program that was included in a report to Congress pursuant to 
section 21 of Public Law 111-139 or the most recent Catalog of 
Federal Domestic Assistance.

 XII. Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
                                Benefits

    With respect to clause 9 of rule XXI of the Rules of the 
House of Representatives, the Committee finds that the bill 
does not contain any congressional earmarks, limited tax 
benefits, or limited tariff benefits as defined in clause 9(e), 
9(f), or 9(g) of rule XXI of the Rules of the House of 
Representatives.

                    XIII. Federal Mandates Statement

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

               XIV. Federal Advisory Committee Statement

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                XV. Applicability to Legislative Branch

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

                XVI. Constitutional Authority Statement

    Pursuant to clause 7 of rule XII of the Rules of the House 
of Representatives, the Committee finds the authority for this 
legislation in Art. I, Sec. 8, cl. 1 of the Constitution of the 
United States.

      XVII. Changes in Existing Law Made by the Bill, as Reported

    In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, as shown as follows: existing law 
proposed to be omitted is enclosed in black brackets, new 
matter is printed in italic, and existing law in which no 
change is proposed is shown in roman:

         Changes in Existing Law Made by the Bill, as Reported

  In compliance with clause 3(e) of rule XIII of the Rules of 
the House of Representatives, changes in existing law made by 
the bill, as reported, are shown as follows (new matter is 
printed in italics and existing law in which no change is 
proposed is shown in roman):

                           SMALL BUSINESS ACT




           *       *       *       *       *       *       *
  Sec. 10. (a) The Administration shall, as soon as practicable 
each fiscal year make a comprehensive annual report to the 
President, the President of the Senate, the Senate Select 
Committee on Small Business, and the Speaker of the House of 
Representatives. Such report shall include a description of the 
state of small business in the Nation and the several States, 
and a description of the operations of the Administration under 
this chapter, including, but not limited to, the general 
lending, disaster relief, Government regulation relief, 
procurement and property disposal, research and development, 
technical assistance, dissemination of data and information, 
and other functions under the jurisdiction of the 
Administration during the previous fiscal year. Such report 
shall contain recommendations for strengthening or improving 
such programs, or, when necessary or desirable to implement 
more effectively congressional policies and proposals, for 
establishing new or alternative programs. In addition, such 
report shall include the names of the business concerns to whom 
contracts are let and for whom financing is arranged by the 
Administration, together with the amounts involved. With 
respect to minority small business concerns, the report shall 
include the proportion of loans and other assistance under this 
Act provided to such concerns, the goals of the Administration 
for the next fiscal year with respect to such concerns, and 
recommendations for improving assistance to minority small 
business concerns under this Act.
  (b) Cybersecurity Reports.--
          (1) Annual report.--Not later than 180 days after the 
        date of enactment of this subsection, and every year 
        thereafter, the Administrator shall submit a report to 
        the appropriate congressional committees that 
        includes--
                  (A) an assessment of the information 
                technology (as defined in section 11101 of 
                title 40, United States Code) and cybersecurity 
                infrastructure of the Administration;
                  (B) a strategy to increase the cybersecurity 
                infrastructure of the Administration;
                  (C) a detailed account of any information 
                technology equipment or interconnected system 
                or subsystem of equipment of the Administration 
                that was manufactured by an entity that has its 
                principal place of business located in the 
                People's Republic of China; and
                  (D) an account of any cybersecurity risk or 
                incident that occurred at the Administration 
                during the 2-year period preceding the date on 
                which the report is submitted, and any action 
                taken by the Administrator to respond to or 
                remediate any such cybersecurity risk or 
                incident.
          (2) Additional reports.--If the Administrator 
        determines that there is a reasonable basis to conclude 
        that a cybersecurity risk or incident occurred at the 
        Administration, the Administrator shall--
                  (A) not later than 7 days after the date on 
                which the Administrator makes that 
                determination, notify the appropriate 
                congressional committees of the cybersecurity 
                risk or incident; and
                  (B) not later than 30 days after the date on 
                which the Administrator makes a determination 
                under subparagraph (A)--
                          (i) provide notice to individuals and 
                        small business concerns affected by the 
                        cybersecurity risk or incident; and
                          (ii) submit to the appropriate 
                        congressional committees a report, 
                        based on information available to the 
                        Administrator as of the date which the 
                        Administrator submits the report, that 
                        includes--
                                  (I) a summary of information 
                                about the cybersecurity risk or 
                                incident, including how the 
                                cybersecurity risk or incident 
                                occurred; and
                                  (II) an estimate of the 
                                number of individuals and small 
                                business concerns affected by 
                                the cybersecurity risk or 
                                incident, including an 
                                assessment of the risk of harm 
                                to affected individuals and 
                                small business concerns.
          (3) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements 
        of the Administrator under chapter 35 of title 44, 
        United States Code, in particular the requirement to 
        notify the Federal information security incident center 
        under section 3554(b)(7)(C)(ii) of such title, or any 
        other provision of law.
          (4) Definitions.--In this subsection:
                  (A) Appropriate congressional committees.--
                The term ``appropriate congressional 
                committees'' means--
                          (i) the Committee on Small Business 
                        and Entrepreneurship of the Senate; and
                          (ii) the Committee on Small Business 
                        of the House of Representatives.
                  (B) Cybersecurity risk; incident.--The terms 
                ``cybersecurity risk'' and ``incident'' have 
                the meanings given such terms, respectively, 
                under section 2209(a) of the Homeland Security 
                Act of 2002.
  (d) For the purpose of aiding in carrying out the national 
policy to insure that a fair proportion of the total purchases 
and contracts for property and services for the Government be 
placed with small business enterprises, and to maintain and 
strengthen the overall economy of the Nation, the Department of 
Defense shall make an annual report to the Committees on Small 
Business of the Senate and the House of Representatives, 
showing the amount of funds appropriated to the Department of 
Defense which have been expended, obligated, or contracted to 
be spent with small business concerns and the amount of such 
funds expended, obligated, or contracted to be spent with firms 
other than small business in the same fields of operation; and 
such reports shall show separately the funds expended, 
obligated, or contracted to be spent for basic and applied 
scientific research and development.
  (e) The Administration and the Inspector General of the 
Administration shall retain all correspondence, records of 
inquiries, memoranda, reports, books, and records, including 
memoranda as to all investigations conducted by or for the 
Administration, for a period of at least one year from the date 
of each thereof, and shall at all times keep the same available 
for inspection and examination by the Senate Select Committee 
on Small Business and the Committee on Small Business of the 
House of Representatives or their duly authorized 
representatives.
  (2) The Committee on Small Business of either the Senate or 
the House of Representatives may request that the Office of the 
Inspector General of the Administration conduct an 
investigation of any program or activity conducted under the 
authority of section 7(j) or 8(a). Not later than thirty days 
after the receipt of such a request, the Inspector General 
shall inform the committee, in writing, of the disposition of 
the request by such office.
  (f) To the extent deemed necessary by the Administrator to 
protect and preserve small-business interests, the 
Administration shall consult and cooperate with other 
departments and agencies of the Federal Government in the 
formulation by the Administration of policies affecting small-
business concerns. When requested by the Administrator, each 
department and agency of the Federal Government shall consult 
and cooperate with the Administration in the formulation by 
such department or agency of policies affecting small-business 
concerns, in order to insure that small-business interests will 
be recognized, protected, and preserved. This subsection shall 
not require any department or agency to consult or cooperate 
with the Administration in any case where the head of such 
department or agency determines that such consultation or 
cooperation would unduly delay action which must be taken by 
such department or agency to protect the national interest in 
an emergency.
  (g) The Administration shall transmit, not later than 
December 31 of each year, to the Senate Select Committee on 
Small Business and Committee on Small Business of the House of 
Representatives a sealed report with respect to--
          (1) complaints alleging illegal conduct by employees 
        of the Administration which were received or acted upon 
        by the Administration during the preceding fiscal year; 
        and
          (2) investigations undertaken by the Administration, 
        including external and internal audits and security and 
        investigation reports.
  (h) The Administration shall transmit, not later than March 
31 of each year, to the Committees on Small Business of the 
Senate and House of Representatives a report on the secondary 
market operations during the preceding calendar year. This 
report shall include, but not be limited to, (1) the number and 
the total dollar amount of loans sold into the secondary market 
and the distribution of such loans by size of loan, size of 
lender, geographic location of lender, interest rate, maturity, 
lender servicing fees, whether the rate is fixed or variable, 
and premium paid; (2) the number and dollar amount of loans 
resold in the secondary market with a distribution by size of 
loan, interest rate, and premiums; (3) the number and total 
dollar amount of pools formed; (4) the number and total dollar 
amount of loans in each pool; (5) the dollar amount, interest 
rate, and terms on each loan in each pool and whether the rate 
is fixed or variable; (6) the number, face value, interest 
rate, and terms of the trust certificates issued for each pool; 
(7) to the maximum extent possible, the use by the lender of 
the proceeds of sales of loans in the secondary market for 
additional lending to small business concerns; and (8) an 
analysis of the information reported in (1) through (7) to 
assess small businesses' access to capital at reasonable rates 
and terms as a result of secondary market operations.

           *       *       *       *       *       *       *


                                  [all]