[Senate Report 117-102]
[From the U.S. Government Publishing Office]
Calendar No. 281
117th Congress } { Report
SENATE
2d Session } { 117-102
======================================================================
SBA CYBER AWARENESS ACT
_______
May 3, 2022.--Ordered to be printed
_______
Mr. Cardin, from the Committee on Small Business and Entrepreneurship,
submitted the following
R E P O R T
[To accompany H.R. 3462]
[Including cost estimate of the Congressional Budget Office]
The Committee on Small Business and Entrepreneurship, to
which was referred the bill (H.R. 3462) to require an annual
report on the cybersecurity of the Small Business
Administration, and for other purposes, reports favorably
thereon, without amendment and recommends that the bill do
pass.
I. INTRODUCTION
A bill to require an annual report on the cybersecurity of
the SBA and issue additional reports as necessary was
introduced by Representatives Jason Crow and Young Lee on May
21, 2021. A Senate companion, S. 1691, was introduced by
Senators Marco Rubio, Jim Risch, and Bill Cassidy on May 18,
2021.
This bill requires the Administrator to issue a report
within 180 days of enactment, and annually thereafter, to the
appropriate Congressional committees (defined in the bill as
the Committee on Small Business and Entrepreneurship of the
Senate and the Committee on Small Business of the House of
Representatives) that includes: (1) an assessment of the
information technology (as defined in section 11101 of title
40, United States Code) and cybersecurity infrastructure of the
Administration; (2) a strategy to increase the cybersecurity
infrastructure of the Administration; (3) a detailed account of
any information technology equipment or interconnected system
or subsystem of equipment of the Administration that was
manufactured by an entity that has its principal place of
business located in the People's Republic of China; and (4) an
account of any cybersecurity risk or incident that occurred at
the Administration during the 2-year period preceding the date
on which the report is submitted, and any action taken by the
Administrator to respond to or remediate any such cybersecurity
risk or incident.
The bill also requires the SBA to issue additional reports
if the Administrator determines that there is a reasonable
basis to conclude that a cybersecurity risk or incident
occurred at SBA. Specifically, after a cybersecurity risk or
incident, the Administrator must notify the appropriate
Congressional committees within 7 days and issue a report to
those committees containing a summary of the incident and an
estimate of the number of small business affected within 30
days. Finally the bill requires the SBA to notify affected
small business within 30 days of determining that a
cybersecurity risk or incident occurred at the Administration.
The bill was approved by a voice vote as part of a
manager's package.
II. HISTORY (PURPOSE & NEED FOR LEGISLATION)
For more than twenty years, SBA's Office of Inspector
General has listed IT security as one of the most serious
management and performance challenges facing the SBA. The
unprecedented demand for COVID 19 relief programs, the Paycheck
Protection Program (PPP) and the Economic Injury Disaster Loan
(EIDL) programs, inundated the SBA's legacy systems, leading to
backend system crashes, portals operating slowly, and a glitch
that led to a data breach of applicants' personal information.
On March 25, 2020, SBA discovered a flaw in its EIDL
application system that exposed the personal information of up
to 8,000 individuals to other applicants. Exposed data included
email addresses, citizenship status, insurance information,
birth dates, phone numbers, addresses, and Social Security
Numbers. SBA failed to make any public announcement about the
data breach, and it wasn't until April 13, 2020 that the agency
sent paper notifications to affected individuals.
III. HEARINGS & ROUNDTABLES
In the 116th Congress the Committee held a hearing entitled
``Cyber Crime: An Existential Threat to Small Business'' on
March 16, 2019. At the hearing, Chairman Rubio highlighted the
need for SBA to update its IT systems to prevent a breach and
the theft or loss of sensitive small business data, as well as
the national security risks of inadequate cybersecurity
protections. Chairman Rubio also spoke about his introduction
of the ``SBA Cyber Awareness Act''. Ranking Member Ben Cardin
cited that the Office of Inspector General's annual report on
major SBA Management and Performance Challenges has identified
deficiencies in SBA's IT systems on multiple occasions. Maria
Roat, then-SBA CIO, testified about steps the SBA had taken to
modernize their IT systems and steps taken to address
cybersecurity at the Agency, but stated in her written
testimony that 8 of 50 IT management and performance challenge
recommendations made by the SBA Office of Inspector General
(OIG) remained outstanding. Ranking Member Cardin indicated
that Congress needs to be provided updates by SBA on their
progress to address IT deficiencies.
IV. DESCRIPTION OF BILL
This bill amends Section 10 of the Small Business Act (15
U.S.C. Sec. 639) by inserting subsection (b) Cybersecurity
Reports. The SBA is required to submit an annual report on the
cybersecurity infrastructure of the agency to the Small
Businesses and Entrepreneurship Committee of the Senate and the
Small Business Committee of the House of Representatives in
which the Administrator shall, to the maximum extent
practicable, include a detailed description of the
Administrator's actions taken to respond to or remediate any
cybersecurity risk or incident that took place, to include the
country of origin of the cybersecurity attack. In the event of
a cybersecurity risk or incident, the SBA is required to alert
the committees no later than 7 days after the event and submit
a report within 30 days. The SBA is also required to provide
notice to affected individuals and small business concerns
within 30 days.
V. COMMITTEE VOTE
In compliance with rule XXVI (7)(b) of the Standing Rules
of the Senate, the following vote was recorded on February 15,
2022.
A motion to adopt H.R. 3462, a bill to require an annual
report on the cybersecurity of the Small Business
Administration (SBA), was agreed to by a majority voice vote of
a quorum present as part of a manager's package.
VI. COST ESTIMATE
In compliance with rule XXVI (11)(a)(1) of the Standing
Rules of the Senate, the Committee estimates the cost of the
legislation will be will be equal to the amounts discussed in
the following letter from the Congressional Budget Office and
available at https://www.cbo.gov/system/files/2022-02/
hr3462.pdf.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
H.R. 3462 would require the Small Business Administration
(SBA) to report annually to the Congress on the state of its
information technology (IT) and cybersecurity systems, the
methods it could use to improve cybersecurity, any of its IT
equipment or systems that were produced by an entity doing
business principally in China, and any recent cybersecurity
risks or incidents and subsequent responses. The act also would
require the SBA to report all cybersecurity risks or incidents
to the Congress as they occur and to notify the affected
individuals and small businesses.
Under current law, the SBA is required to submit an annual
performance report to the Congress that includes information
concerning agency cybersecurity efforts. In addition, the
Federal Information Security Modernization Act of 2014 requires
federal agencies, including the SBA, to report on the
effectiveness of their information security policies and
practices each year. Although H.R. 3462 would impose new
reporting requirements upon the SBA, the work required to
fulfill most of those requirements would not be significant
because the SBA already collects most of the information needed
in those reports.
The CBO staff contact for this estimate is David Hughes.
The estimate was reviewed by H. Samuel Papenfuss, Deputy
Director of Budget Analysis.
VII. EVALUATION OF REGULATORY IMPACT
In compliance with rule XXVI (11)(b) of the Standing Rules
of the Senate, it is the opinion of the Committee that no
significant additional regulatory impact will be incurred in
carrying out the provisions of this legislation.
VIII. SECTION-BY-SECTION ANALYSIS
Section 1. Short title
This section designates the act as the ``SBA Cyber
Awareness Act''.
Sec. 2. Cybersecurity awareness reporting
This section amends Section 10 of the Small Business Act
(15 U.S.C. Sec. 639) by inserting subsection (b) Cybersecurity
Reports. SBA is required to submit an annual report on the
cybersecurity infrastructure of the agency to the Small
Businesses and Entrepreneurship Committee of the Senate and the
Small Business Committee of the House of Representatives. In
the event of a cybersecurity risk or incident, SBA is required
to alert the committees no later than 7 days after the event
and submit a report within 30 days. SBA is also required to
provide notice to affected individuals and small business
concerns within thirty days.
[all]