Description:
H.R. 3462 would require the Small Business Administration (SBA) to report annually to the Congress on the state of its information technology (IT) and cybersecurity systems, the methods it could use to improve cybersecurity, any of its IT equipment or systems that were produced by an entity doing business principally in China, and any recent cybersecurity risks or incidents and subsequent responses. The act also would require the SBA to report all cybersecurity risks or incidents to the Congress as they occur and to notify the affected individuals and small businesses. Under current law, the SBA is required to submit an annual performance report to the Congress that includes information concerning agency cybersecurity efforts. In addition, the Federal Information Security Modernization Act of 2014 requires federal agencies, including the SBA, to report on the effectiveness of their information security policies and practices each year. Although H.R. 3462 would impose new reporting requirements upon the SBA, the work required to fulfill most of those requirements would not be significant because the SBA already collects most of the information needed in those reports. On February 15, 2022, CBO transmitted a cost estimate for H.R. 3462, the SBA Cyber Awareness Act, as passed by the House of Representatives on November 2, 2021. The two versions of the legislation are similar and CBO’s estimates of their budgetary effects are the same.
