[Senate Report 117-102]
[From the U.S. Government Publishing Office]


                                                     Calendar No. 281
117th Congress       }                            {          Report
                                 SENATE
 2d Session          }                            {          117-102

======================================================================



 
                        SBA CYBER AWARENESS ACT

                                _______
                                

                  May 3, 2022.--Ordered to be printed

                                _______
                                

Mr. Cardin, from the Committee on Small Business and Entrepreneurship, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3462]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Small Business and Entrepreneurship, to 
which was referred the bill (H.R. 3462) to require an annual 
report on the cybersecurity of the Small Business 
Administration, and for other purposes, reports favorably 
thereon, without amendment and recommends that the bill do 
pass.

                            I. INTRODUCTION

    A bill to require an annual report on the cybersecurity of 
the SBA and issue additional reports as necessary was 
introduced by Representatives Jason Crow and Young Lee on May 
21, 2021. A Senate companion, S. 1691, was introduced by 
Senators Marco Rubio, Jim Risch, and Bill Cassidy on May 18, 
2021.
    This bill requires the Administrator to issue a report 
within 180 days of enactment, and annually thereafter, to the 
appropriate Congressional committees (defined in the bill as 
the Committee on Small Business and Entrepreneurship of the 
Senate and the Committee on Small Business of the House of 
Representatives) that includes: (1) an assessment of the 
information technology (as defined in section 11101 of title 
40, United States Code) and cybersecurity infrastructure of the 
Administration; (2) a strategy to increase the cybersecurity 
infrastructure of the Administration; (3) a detailed account of 
any information technology equipment or interconnected system 
or subsystem of equipment of the Administration that was 
manufactured by an entity that has its principal place of 
business located in the People's Republic of China; and (4) an 
account of any cybersecurity risk or incident that occurred at 
the Administration during the 2-year period preceding the date 
on which the report is submitted, and any action taken by the 
Administrator to respond to or remediate any such cybersecurity 
risk or incident.
    The bill also requires the SBA to issue additional reports 
if the Administrator determines that there is a reasonable 
basis to conclude that a cybersecurity risk or incident 
occurred at SBA. Specifically, after a cybersecurity risk or 
incident, the Administrator must notify the appropriate 
Congressional committees within 7 days and issue a report to 
those committees containing a summary of the incident and an 
estimate of the number of small business affected within 30 
days. Finally the bill requires the SBA to notify affected 
small business within 30 days of determining that a 
cybersecurity risk or incident occurred at the Administration.
    The bill was approved by a voice vote as part of a 
manager's package.

              II. HISTORY (PURPOSE & NEED FOR LEGISLATION)

    For more than twenty years, SBA's Office of Inspector 
General has listed IT security as one of the most serious 
management and performance challenges facing the SBA. The 
unprecedented demand for COVID 19 relief programs, the Paycheck 
Protection Program (PPP) and the Economic Injury Disaster Loan 
(EIDL) programs, inundated the SBA's legacy systems, leading to 
backend system crashes, portals operating slowly, and a glitch 
that led to a data breach of applicants' personal information. 
On March 25, 2020, SBA discovered a flaw in its EIDL 
application system that exposed the personal information of up 
to 8,000 individuals to other applicants. Exposed data included 
email addresses, citizenship status, insurance information, 
birth dates, phone numbers, addresses, and Social Security 
Numbers. SBA failed to make any public announcement about the 
data breach, and it wasn't until April 13, 2020 that the agency 
sent paper notifications to affected individuals.

                      III. HEARINGS & ROUNDTABLES

    In the 116th Congress the Committee held a hearing entitled 
``Cyber Crime: An Existential Threat to Small Business'' on 
March 16, 2019. At the hearing, Chairman Rubio highlighted the 
need for SBA to update its IT systems to prevent a breach and 
the theft or loss of sensitive small business data, as well as 
the national security risks of inadequate cybersecurity 
protections. Chairman Rubio also spoke about his introduction 
of the ``SBA Cyber Awareness Act''. Ranking Member Ben Cardin 
cited that the Office of Inspector General's annual report on 
major SBA Management and Performance Challenges has identified 
deficiencies in SBA's IT systems on multiple occasions. Maria 
Roat, then-SBA CIO, testified about steps the SBA had taken to 
modernize their IT systems and steps taken to address 
cybersecurity at the Agency, but stated in her written 
testimony that 8 of 50 IT management and performance challenge 
recommendations made by the SBA Office of Inspector General 
(OIG) remained outstanding. Ranking Member Cardin indicated 
that Congress needs to be provided updates by SBA on their 
progress to address IT deficiencies.

                        IV. DESCRIPTION OF BILL

    This bill amends Section 10 of the Small Business Act (15 
U.S.C. Sec. 639) by inserting subsection (b) Cybersecurity 
Reports. The SBA is required to submit an annual report on the 
cybersecurity infrastructure of the agency to the Small 
Businesses and Entrepreneurship Committee of the Senate and the 
Small Business Committee of the House of Representatives in 
which the Administrator shall, to the maximum extent 
practicable, include a detailed description of the 
Administrator's actions taken to respond to or remediate any 
cybersecurity risk or incident that took place, to include the 
country of origin of the cybersecurity attack. In the event of 
a cybersecurity risk or incident, the SBA is required to alert 
the committees no later than 7 days after the event and submit 
a report within 30 days. The SBA is also required to provide 
notice to affected individuals and small business concerns 
within 30 days.

                           V. COMMITTEE VOTE

    In compliance with rule XXVI (7)(b) of the Standing Rules 
of the Senate, the following vote was recorded on February 15, 
2022.
    A motion to adopt H.R. 3462, a bill to require an annual 
report on the cybersecurity of the Small Business 
Administration (SBA), was agreed to by a majority voice vote of 
a quorum present as part of a manager's package.

                           VI. COST ESTIMATE

    In compliance with rule XXVI (11)(a)(1) of the Standing 
Rules of the Senate, the Committee estimates the cost of the 
legislation will be will be equal to the amounts discussed in 
the following letter from the Congressional Budget Office and 
available at https://www.cbo.gov/system/files/2022-02/
hr3462.pdf.


	
	[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    H.R. 3462 would require the Small Business Administration 
(SBA) to report annually to the Congress on the state of its 
information technology (IT) and cybersecurity systems, the 
methods it could use to improve cybersecurity, any of its IT 
equipment or systems that were produced by an entity doing 
business principally in China, and any recent cybersecurity 
risks or incidents and subsequent responses. The act also would 
require the SBA to report all cybersecurity risks or incidents 
to the Congress as they occur and to notify the affected 
individuals and small businesses.
    Under current law, the SBA is required to submit an annual 
performance report to the Congress that includes information 
concerning agency cybersecurity efforts. In addition, the 
Federal Information Security Modernization Act of 2014 requires 
federal agencies, including the SBA, to report on the 
effectiveness of their information security policies and 
practices each year. Although H.R. 3462 would impose new 
reporting requirements upon the SBA, the work required to 
fulfill most of those requirements would not be significant 
because the SBA already collects most of the information needed 
in those reports.
    The CBO staff contact for this estimate is David Hughes. 
The estimate was reviewed by H. Samuel Papenfuss, Deputy 
Director of Budget Analysis.

                  VII. EVALUATION OF REGULATORY IMPACT

    In compliance with rule XXVI (11)(b) of the Standing Rules 
of the Senate, it is the opinion of the Committee that no 
significant additional regulatory impact will be incurred in 
carrying out the provisions of this legislation.

                   VIII. SECTION-BY-SECTION ANALYSIS

Section 1. Short title

    This section designates the act as the ``SBA Cyber 
Awareness Act''.

Sec. 2. Cybersecurity awareness reporting

    This section amends Section 10 of the Small Business Act 
(15 U.S.C. Sec. 639) by inserting subsection (b) Cybersecurity 
Reports. SBA is required to submit an annual report on the 
cybersecurity infrastructure of the agency to the Small 
Businesses and Entrepreneurship Committee of the Senate and the 
Small Business Committee of the House of Representatives. In 
the event of a cybersecurity risk or incident, SBA is required 
to alert the committees no later than 7 days after the event 
and submit a report within 30 days. SBA is also required to 
provide notice to affected individuals and small business 
concerns within thirty days.

                                  [all]