The text of the bill below is as of Oct 29, 2021 (Preprint (Suspension)).
This is not the latest text of this bill. Read the latest text.
IB
Union Calendar No. 98
117TH CONGRESS
1ST SESSION
H. R. 3462
[Report No. 117–138]
To require an annual report on the cybersecurity of the Small Business
Administration, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
MAY 21, 2021
Mr. CROW (for himself and Mrs. KIM of California) introduced the following
bill; which was referred to the Committee on Small Business
OCTOBER 12, 2021
Reported from the Committee on Small Business; committed to the Committee
of the Whole House on the State of the Union and ordered to be printed
pbinns on DSKJLVW7X2PROD with BILLS
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6652 E:\BILLS\H3462.RH H3462
2
A BILL
To require an annual report on the cybersecurity of the
Small Business Administration, and for other purposes.
pbinns on DSKJLVW7X2PROD with BILLS
•HR 3462 RH
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6652 E:\BILLS\H3462.RH H3462
3
1 Be it enacted by the Senate and House of Representa-
2 tives of the United States of America in Congress assembled,
3 SECTION 1. SHORT TITLE.
4 This Act may be cited as the ‘‘SBA Cyber Awareness
5 Act’’.
6 SEC. 2. CYBERSECURITY AWARENESS REPORTING.
7 Section 10 of the Small Business Act (15 U.S.C. 639)
8 is amended by inserting after subsection (a) the following:
9 ‘‘(b) CYBERSECURITY REPORTS.—
10 ‘‘(1) ANNUAL REPORT.—Not later than 180
11 days after the date of enactment of this subsection,
12 and every year thereafter, the Administrator shall
13 submit a report to the appropriate congressional
14 committees that includes—
15 ‘‘(A) an assessment of the information
16 technology (as defined in section 11101 of title
17 40, United States Code) and cybersecurity in-
18 frastructure of the Administration;
19 ‘‘(B) a strategy to increase the cybersecu-
20 rity infrastructure of the Administration;
21 ‘‘(C) a detailed account of any information
22 technology equipment or interconnected system
23 or subsystem of equipment of the Administra-
24 tion that was manufactured by an entity that
pbinns on DSKJLVW7X2PROD with BILLS
•HR 3462 RH
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\H3462.RH H3462
4
1 has its principal place of business located in the
2 People’s Republic of China; and
3 ‘‘(D) an account of any cybersecurity risk
4 or incident that occurred at the Administration
5 during the 2-year period preceding the date on
6 which the report is submitted, and any action
7 taken by the Administrator to respond to or re-
8 mediate any such cybersecurity risk or incident.
9 ‘‘(2) ADDITIONAL REPORTS.—If the Adminis-
10 trator determines that there is a reasonable basis to
11 conclude that a cybersecurity risk or incident oc-
12 curred at the Administration, the Administrator
13 shall—
14 ‘‘(A) not later than 7 days after the date
15 on which the Administrator makes that deter-
16 mination, notify the appropriate congressional
17 committees of the cybersecurity risk or incident;
18 and
19 ‘‘(B) not later than 30 days after the date
20 on which the Administrator makes a determina-
21 tion under subparagraph (A)—
22 ‘‘(i) provide notice to individuals and
23 small business concerns affected by the cy-
24 bersecurity risk or incident; and
pbinns on DSKJLVW7X2PROD with BILLS
•HR 3462 RH
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\H3462.RH H3462
5
1 ‘‘(ii) submit to the appropriate con-
2 gressional committees a report, based on
3 information available to the Administrator
4 as of the date which the Administrator
5 submits the report, that includes—
6 ‘‘(I) a summary of information
7 about the cybersecurity risk or inci-
8 dent, including how the cybersecurity
9 risk or incident occurred; and
10 ‘‘(II) an estimate of the number
11 of individuals and small business con-
12 cerns affected by the cybersecurity
13 risk or incident, including an assess-
14 ment of the risk of harm to affected
15 individuals and small business con-
16 cerns.
17 ‘‘(3) RULE OF CONSTRUCTION.—Nothing in
18 this subsection shall be construed to affect the re-
19 porting requirements of the Administrator under
20 chapter 35 of title 44, United States Code, in par-
21 ticular the requirement to notify the Federal infor-
22 mation security incident center under section
23 3554(b)(7)(C)(ii) of such title, or any other provi-
24 sion of law.
pbinns on DSKJLVW7X2PROD with BILLS
25 ‘‘(4) DEFINITIONS.—In this subsection:
•HR 3462 RH
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\H3462.RH H3462
6
1 ‘‘(A) APPROPRIATE CONGRESSIONAL COM-
2 MITTEES.—The term ‘appropriate congressional
3 committees’ means—
4 ‘‘(i) the Committee on Small Business
5 and Entrepreneurship of the Senate; and
6 ‘‘(ii) the Committee on Small Busi-
7 ness of the House of Representatives.
8 ‘‘(B) CYBERSECURITY RISK; INCIDENT.—
9 The terms ‘cybersecurity risk’ and ‘incident’
10 have the meanings given such terms, respec-
11 tively, under section 2209(a) of the Homeland
12 Security Act of 2002.’’.
pbinns on DSKJLVW7X2PROD with BILLS
•HR 3462 RH
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\H3462.RH H3462
pbinns on DSKJLVW7X2PROD with BILLS
VerDate Sep 11 2014 00:50 Oct 13, 2021 Jkt 029200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\H3462.RH H3462
Union Calendar No. 98
117TH CONGRESS
1ST SESSION H. R. 3462
[Report No. 117–138]
H3462
A BILL
E:\BILLS\H3462.RH
To require an annual report on the cybersecurity of
the Small Business Administration, and for other
purposes.
Sfmt 6651
OCTOBER 12, 2021
Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
Fmt 6651
Frm 00008
PO 00000
Jkt 029200
00:50 Oct 13, 2021
VerDate Sep 11 2014
pbinns on DSKJLVW7X2PROD with BILLS
