[117th Congress Public Law 259]
[From the U.S. Government Publishing Office]



[[Page 136 STAT. 2387]]

Public Law 117-259
117th Congress

                                 An Act


 
 To require an annual report on the cybersecurity of the Small Business 
 Administration, and for other purposes. <<NOTE: Dec. 21, 2022 -  [H.R. 
                                3462]>> 

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled, <<NOTE: SBA Cyber 
Awareness Act. 15 USC 631 note.>> 
SECTION 1. SHORT TITLE.

    This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. <<NOTE: China.>>  CYBERSECURITY AWARENESS REPORTING.

    (a) In General.--Section 10 of the Small Business Act (15 U.S.C. 
639) is amended by inserting after subsection (a) the following:
    ``(b) Cybersecurity Reports.--
            ``(1) <<NOTE: Strategies.>>  Annual report.--Not later than 
        180 days after the date of enactment of this subsection, and 
        every year thereafter, the Administrator shall submit a report 
        to the appropriate congressional committees that includes--
                    ``(A) a strategy to increase the cybersecurity of 
                information technology infrastructure of the 
                Administration;
                    ``(B) <<NOTE: Plan.>>  a supply chain risk 
                management strategy and an implementation plan to 
                address the risks of foreign manufactured information 
                technology equipment utilized by the Administration, 
                including specific risk mitigation activities for 
                components originating from entities with principal 
                places of business located in the People's Republic of 
                China; and
                    ``(C) an account of--
                          ``(i) <<NOTE: Time periods.>>  any incident 
                      that occurred at the Administration during the 2-
                      year period preceding the date on which the first 
                      report is submitted, and, for subsequent reports, 
                      the 1-year period preceding the date of 
                      submission; and
                          ``(ii) any action taken by the Administrator 
                      to respond to or remediate any such incident.
            ``(2) FISMA reports.--Each report required under paragraph 
        (1) may be submitted as part of the report required under 
        section 3554 of title 44, United States Code.
            ``(3) Rule of construction.--Nothing in this subsection 
        shall be construed to affect the reporting requirements of the 
        Administrator under chapter 35 of title 44, United States Code, 
        in particular the requirement to notify the Federal information 
        security incident center under section 3554(b)(7)(C)(ii) of such 
        title, any guidance issued by the Office of Management and 
        Budget, or any other provision of law or Federal policy.

[[Page 136 STAT. 2388]]

            ``(4) Definitions.--In this subsection:
                    ``(A) Appropriate congressional committees.--The 
                term `appropriate congressional committees' means--
                          ``(i) the Committee on Small Business and 
                      Entrepreneurship of the Senate;
                          ``(ii) the Committee on Homeland Security and 
                      Governmental Affairs of the Senate;
                          ``(iii) the Committee on Small Business of the 
                      House of Representatives; and
                          ``(iv) the Committee on Oversight and Reform 
                      of the House of Representatives.
                    ``(B) Incident.--The term `incident' has the meaning 
                given the term in section 3552 of title 44, United 
                States Code.
                    ``(C) Information technology.--The term `information 
                technology' has the meaning given the term in section 
                3502 of title 44, United States Code.''.

    (b) Report.--Not later than 1 year after the date of enactment of 
this Act, the Administrator of the Small Business Administration shall, 
to the greatest extent practicable, provide to the Committee on Small 
Business and Entrepreneurship of the Senate, the Committee on Homeland 
Security and Governmental Affairs of the Senate, the Committee on Small 
Business of the House of Representatives, and the Committee on Oversight 
and Reform of the House of Representatives a detailed account of 
information technology (as defined in section 3502 of title 44, United 
States Code) of the Small Business Administration that was manufactured 
by an entity that has its principal place of business located in the 
People's Republic of China.

    Approved December 21, 2022.

LEGISLATIVE HISTORY--H.R. 3462:
---------------------------------------------------------------------------

HOUSE REPORTS: No. 117-138 (Comm. on Small Business).
SENATE REPORTS: No. 117-
102 (Comm. on Small Business and Entrepreneurship).
CONGRESSIONAL RECORD:
                                                        Vol. 167 (2021):
                                    Nov. 2, considered and passed House.
                                                        Vol. 168 (2022):
                                    Sept. 28, considered and passed 
                                        Senate, amended.
                                    Dec. 5, 6, House considered and 
                                        concurred in Senate amendment.

                                  <all>