Sba Cyber Awareness Act
Floor Speech
BREAK IN TRANSCRIPT
Ms. VELAZQUEZ. Mr. Speaker, I move to suspend the rules and concur in the Senate amendment to the bill (H.R. 3462) to require an annual report on the cybersecurity of the Small Business Administration, and for other purposes.
The Clerk read the title of the bill.
The text of the Senate amendment is as follows:
Senate amendment:
Strike out all after the enacting clause and insert: SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''. SEC. 2. CYBERSECURITY AWARENESS REPORTING.
(a) In General.--Section 10 of the Small Business Act (15 U.S.C. 639) is amended by inserting after subsection (a) the following:
``(b) Cybersecurity Reports.--
``(1) Annual report.--Not later than 180 days after the date of enactment of this subsection, and every year thereafter, the Administrator shall submit a report to the appropriate congressional committees that includes--
``(A) a strategy to increase the cybersecurity of information technology infrastructure of the Administration;
``(B) a supply chain risk management strategy and an implementation plan to address the risks of foreign manufactured information technology equipment utilized by the Administration, including specific risk mitigation activities for components originating from entities with principal places of business located in the People's Republic of China; and
``(C) an account of--
``(i) any incident that occurred at the Administration during the 2-year period preceding the date on which the first report is submitted, and, for subsequent reports, the 1-year period preceding the date of submission; and
``(ii) any action taken by the Administrator to respond to or remediate any such incident.
``(2) FISMA reports.--Each report required under paragraph (1) may be submitted as part of the report required under section 3554 of title 44, United States Code.
``(3) Rule of construction.--Nothing in this subsection shall be construed to affect the reporting requirements of the Administrator under chapter 35 of title 44, United States Code, in particular the requirement to notify the Federal information security incident center under section 3554(b)(7)(C)(ii) of such title, any guidance issued by the Office of Management and Budget, or any other provision of law or Federal policy.
``(4) Definitions.--In this subsection:
``(A) Appropriate congressional committees.--The term `appropriate congressional committees' means--
``(i) the Committee on Small Business and Entrepreneurship of the Senate;
``(ii) the Committee on Homeland Security and Governmental Affairs of the Senate;
``(iii) the Committee on Small Business of the House of Representatives; and
``(iv) the Committee on Oversight and Reform of the House of Representatives.
``(B) Incident.--The term `incident' has the meaning given the term in section 3552 of title 44, United States Code.
``(C) Information technology.--The term `information technology' has the meaning given the term in section 3502 of title 44, United States Code.''.
(b) Report.--Not later than 1 year after the date of enactment of this Act, the Administrator of the Small Business Administration shall, to the greatest extent practicable, provide to the Committee on Small Business and Entrepreneurship of the Senate, the Committee on Homeland Security and Governmental Affairs of the Senate, the Committee on Small Business of the House of Representatives, and the Committee on Oversight and Reform of the House of Representatives a detailed account of information technology (as defined in section 3502 of title 44, United States Code) of the Small Business Administration that was manufactured by an entity that has its principal place of business located in the People's Republic of China.
Mr. Speaker, I thank all the members of the Small Business Committee for their hard work this Congress on behalf of our Nation's 32 million small business owners.
These bills will help small firms in a number of areas: strengthen cybersecurity and broadband access, improve exporting, and enhance recovery assistance from natural disasters.
They are the product of the bipartisan and bicameral work of the House and Senate Small Business Committees. I hope that we can come together today and approve these bills.
First, we will consider H.R. 3462, the SBA Cyber Awareness Act, as amended and passed by the Senate. For more than 20 years, the SBA's IG has listed IT security as one of the most serious management and performance challenges for SBA. These vulnerabilities were exposed during the rollout of the SBA COVID-19 relief programs.
The unprecedented demand for programs like PPP and the COVID EIDL overwhelmed the SBA's legacy system, leading to back-end crashes, slow portal operations, and a breach that exposed applicants' personal information. SBA failed to make any public announcement about the data breach, and it took weeks for the agency to send paper notifications to affected individuals.
H.R. 3462 would require the SBA to assess its cybersecurity procedures and submit a cybersecurity report to Congress within 180 days of passage and annually thereafter.
SBA possesses sensitive information belonging to countless American small business owners. We must ensure this data is protected from bad actors in cyberspace.
The Senate-passed version we are voting on today reinforces reporting requirements established by the Federal Information Security Management Act of 2002.
I support the changes and thank the Senate for improving this legislation. I thank Mr. Crow of Colorado and Mrs. Kim of California for introducing and championing this bill. Their relentless efforts on this issue is why we are here today.
Mr. Speaker, I urge my colleagues to support H.R.
BREAK IN TRANSCRIPT
Ms. VELAZQUEZ.
Mr. Speaker, the average cost of a data breach in the United States is over $9 million. For small businesses operating on razor-thin margins, an event like this can be catastrophic.
Small businesses must be confident that SBA systems are fully operational and capable of protecting their sensitive data. H.R. 3462 will go a long way toward rebuilding trust in the agency's IT infrastructure.
I thank my colleagues, Mr. Crow of Colorado and Mrs. Kim of California, for their leadership on this issue.
Mr. Speaker, I urge my colleagues to concur with the Senate amendment to the bill, H.R. 3462, and I yield back the balance of my time.
BREAK IN TRANSCRIPT
Source