The publication is reproduced in full below:
SBA CYBER AWARENESS ACT
Ms. VELAZQUEZ. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 3462) to require an annual report on the cybersecurity of the Small Business Administration, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3462
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``SBA Cyber Awareness Act''.
SEC. 2. CYBERSECURITY AWARENESS REPORTING.
Section 10 of the Small Business Act (15 U.S.C. 639) is amended by inserting after subsection (a) the following:
``(b) Cybersecurity Reports.--
``(1) Annual report.--Not later than 180 days after the date of enactment of this subsection, and every year thereafter, the Administrator shall submit a report to the appropriate congressional committees that includes--
``(A) an assessment of the information technology (as defined in section 11101 of title 40, United States Code) and cybersecurity infrastructure of the Administration;
``(B) a strategy to increase the cybersecurity infrastructure of the Administration;
``(C) a detailed account of any information technology equipment or interconnected system or subsystem of equipment of the Administration that was manufactured by an entity that has its principal place of business located in the People's Republic of China; and
``(D) an account of any cybersecurity risk or incident that occurred at the Administration during the 2-year period preceding the date on which the report is submitted, and any action taken by the Administrator to respond to or remediate any such cybersecurity risk or incident.
``(2) Additional reports.--If the Administrator determines that there is a reasonable basis to conclude that a cybersecurity risk or incident occurred at the Administration, the Administrator shall--
``(A) not later than 7 days after the date on which the Administrator makes that determination, notify the appropriate congressional committees of the cybersecurity risk or incident; and
``(B) not later than 30 days after the date on which the Administrator makes a determination under subparagraph (A)--
``(i) provide notice to individuals and small business concerns affected by the cybersecurity risk or incident; and
``(ii) submit to the appropriate congressional committees a report, based on information available to the Administrator as of the date which the Administrator submits the report, that includes--
``(I) a summary of information about the cybersecurity risk or incident, including how the cybersecurity risk or incident occurred; and
``(II) an estimate of the number of individuals and small business concerns affected by the cybersecurity risk or incident, including an assessment of the risk of harm to affected individuals and small business concerns.
``(3) Rule of construction.--Nothing in this subsection shall be construed to affect the reporting requirements of the Administrator under chapter 35 of title 44, United States Code, in particular the requirement to notify the Federal information security incident center under section 3554(b)(7)(C)(ii) of such title, or any other provision of law.
``(4) Definitions.--In this subsection:
``(A) Appropriate congressional committees.--The term
`appropriate congressional committees' means--
``(i) the Committee on Small Business and Entrepreneurship of the Senate; and
``(ii) the Committee on Small Business of the House of Representatives.
``(B) Cybersecurity risk; incident.--The terms
`cybersecurity risk' and `incident' have the meanings given such terms, respectively, under section 2209(a) of the Homeland Security Act of 2002.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from New York (Ms. Velazquez) and the gentleman from Missouri (Mr. Luetkemeyer) each will control 20 minutes.
The Chair recognizes the gentlewoman from New York.
General Leave
Ms. VELAZQUEZ. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days in which to revise and extend their remarks and to include any extraneous material on the measure under consideration.
The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from New York?
There was no objection.
Ms. VELAZQUEZ. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 3462, the SBA Cyber Awareness Act. This bill directs the SBA to issue reports that assess its cybersecurity infrastructure and report cyber threats, breaches, and attacks.
For more than 25 years, the SBA's Office of Inspector General has listed IT security as one of the most serious management and performance challenges facing the agency. These vulnerabilities were further exposed during the rollout of the SBA's COVID-19 relief programs. The unprecedented demand for the SBA's relief programs inundated SBA's legacy systems leading to back-end system crashes, portals operating slowly, and a glitch that led to a data breach of applicants' personal information.
SBA failed to make any public announcement about the data breach, and it took weeks for the agency to send paper notifications to affected individuals.
The SBA has taken the necessary steps to recover from these incidents, but we want a notification system in place before the next cybersecurity breach.
This bill sets new reporting requirements to ensure congressional and public awareness of cyber incidents at the SBA. I would like to thank my colleagues, Mr. Jason Crow from Colorado and Mrs. Young Kim from California, for introducing this bill.
Mr. Speaker, I urge my colleagues to support this bill, and I reserve the balance of my time.
{time} 1300
Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 3462, the SBA Cyber Awareness Act.
Mr. Speaker, the importance of being cyber ready cannot be overstated. This goes for individuals, businesses, and even our Federal Government.
H.R. 3462 takes important strides to ensure the agency that was created to assist and aid the Nation's smallest firms, the Small Business Administration, has the ability to access its own cybersecurity framework.
Additionally, H.R. 3462 requires the SBA to report to Congress on its cyber infrastructure.
Unfortunately, cyberattacks are too common in today's world. Vulnerabilities will be used and taken advantage of by criminals.
We must take steps now to enhance and protect our Federal Government. H.R. 3462 does just that.
I want to thank the gentleman from Colorado (Mr. Crow) and the gentlewoman from California (Mrs. Kim) for having the foresight to work on such an important measure. I also thank the chair for pushing forward this legislation. H.R. 3462 was favorably reported out of the Committee on Small Business in July.
Mr. Speaker, I urge my colleagues to pass the bill today on the House floor, and I reserve the balance of my time.
Ms. VELAZQUEZ. Mr. Speaker, I yield such time as he may consume to the gentleman from Colorado (Mr. Crow).
Mr. CROW. Mr. Speaker, I rise today in support of H.R. 3462, the bipartisan SBA Cyber Awareness Act.
As we all know, small businesses are the backbone of our economy, and they are certainly the backbone of my community. However, these small businesses are also increasingly the target of cyberattacks and theft of data and intellectual property.
Unfortunately, Federal agencies are not immune to such attacks either. For more than 20 years, SBA's Office of Inspector General has listed IT security as one of the most serious management and performance challenges facing the agency.
During the pandemic, demand for relief programs like PPP and EIDL have overwhelmed SBA's IT systems. As a result, a glitch in the EIDL application system led to an exposure of personal information of over 8,000 applicants with no public announcement of the data breach until weeks later.
The SBA Cyber Awareness Act would direct SBA to issue an annual report assessing its cybersecurity infrastructure. The bill would also require the SBA to report cyber-threats, breaches, and cyberattacks to the House Small Business Committee and the Senate Small Business and Entrepreneurship Committee and notify affected individuals and small businesses within 30 days of an incident.
Cyberattacks are one of the biggest threats to our economy, small businesses, and way of life. This bill would ensure that we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st century threats.
I would like to thank Chairwoman Velazquez and Ranking Member Luetkemeyer for the bipartisan support and my friend, Young Kim from California, for joining with me on this very important effort.
Mr. Speaker, I encourage all of my colleagues to join with us and support this bill.
Mr. LUETKEMEYER. Mr. Speaker, I yield such time as she may consume to the gentlewoman from California (Mrs. Kim).
Mrs. KIM of California. Mr. Speaker, I would like to thank Ranking Member Luetkemeyer and Chairwoman Velazquez for their leadership in bringing these bipartisan pieces of legislation to the House floor for votes today.
I rise in strong support of H.R. 3462, the SBA Cyber Awareness Act. This is a bill I have had the pleasure to co-lead with my colleague, Representative Jason Crow of Colorado, to improve the Small Business Administration's transparency and alert mechanisms when a cyberattack or intrusion takes place.
Under the legislation, the SBA will be required to conduct an annual assessment of IT equipment and cybersecurity capabilities and provide Congress with a detailed account of any cybersecurity risk of SBA equipment that was primarily manufactured in the People's Republic of China. Additionally, under this bill, the legislation directs the SBA Administrator to notify Congress and small businesses of a cyberattack within 30 days after the SBA decides that it was subject to a cyber hack.
Fifty percent of small businesses with 500 or less employees say it is very likely that they will experience a cyberattack in the next 12 months, and 1 in 4 are experiencing more cyberattacks compared to a year ago. During the COVID-19 pandemic, the SBA handled a record number of loans and services to help small businesses in need. With that came a higher number of sensitive personal and business information that was handled by the Federal Government.
We must ensure entrepreneurs and small business owners have the confidence that the SBA has the IT capabilities and tools to keep their information safe from cyberattacks. This bill, H.R. 3462, is an important step in doing just that.
Mr. Speaker, I urge my colleagues from both sides of the aisle to support H.R. 3462.
Ms. VELAZQUEZ. Mr. Speaker, I am prepared to close, and I reserve the balance of my time.
Mr. LUETKEMEYER. Mr. Speaker, I yield myself such time as I may consume for the purpose of closing.
Mr. Speaker, I believe now is the time to act to prepare our financial institutions for cyber intrusions. Requiring the SBA to assess its own cyber infrastructure is an important step to ensure the agency can continue to serve as a leader for our Nation's 31 million small businesses.
Congress should make certain that the Federal Government is cyber prepared on behalf of the Nation's small businesses, entrepreneurs, and start-ups.
Mr. Speaker, I encourage my colleagues to support H.R. 3462, and I yield back the balance of my time.
Ms. VELAZQUEZ. Mr. Speaker, H.R. 3462 adds new layers of Congressional oversight to regularly assess SBA's IT and cybersecurity systems and controls, and it will go a long way to increase transparency in the event of another IT or cyber incident.
Congress and the American people need to know that the SBA's systems are fully operational and capable of handling the next surge. This bill takes a step towards rebuilding the trust and confidence in the SBA's IT infrastructure.
Mr. Speaker, I thank my colleagues for their work, I urge Members to vote ``yes'' on this bill, and I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I rise in support of H.R. 3462, the
``SBA Cyber Awareness Act,'' which will strengthen our knowledge of cybersecurity threats to the small businesses of America.
In short, this bill mainly requires that the Small Business Administration (SBA) conduct an annual report that assesses the cybersecurity infrastructure of the SBA.
Mr. Speaker, the unfortunate reality is that our Nation's small businesses are under attack--they are increasingly the target of cybersecurity breaches.
In fact, the SBA has listed IT security as one of the most serious management challenges facing the administration for more than twenty years.
Fifty percent of small businesses say that it is likely they will experience a cyberattack in the next twelve months.
One in four small businesses indicate that they are facing more cyberattacks compared to a year ago.
Small businesses are the backbone of this country, and we owe it to them to be diligently aware of threats to their private information and their livelihoods.
That is why I rise in ardent support of the SBA Cyber Awareness Act, and that is why the bill has bipartisan backing.
Lastly, I want to thank Congressman Crow and Congresswoman Kim for introducing and shepherding this bill.
The SPEAKER pro tempore. The question is on the motion offered by the gentlewoman from New York (Ms. Velazquez) that the House suspend the rules and pass the bill, H.R. 3462.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds being in the affirmative, the ayes have it.
Mrs. BOEBERT. Mr. Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion are postponed.
____________________
SOURCE: Congressional Record Vol. 167, No. 192
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
House Representatives' salaries are historically higher than the median US income.
Alerts Sign-up