S. 772 would require the Small Business Administration (SBA) to report annually to the Congress on the state of its information technology (IT) systems and cybersecurity, the methods it could use to improve cybersecurity, any IT components or systems it has that were produced in China, and any recent major cybersecurity incidents and subsequent responses. Some additional reports and requirements would be imposed on the SBA if a major cybersecurity incident occurred.
Under current law, the SBA is required to submit an annual performance report to the Congress that includes substantive information concerning agency cybersecurity efforts. In addition, the Federal Information Security Modernization Act of 2014 requires federal agencies, including the SBA, to report on the effectiveness of their information security policies and practices each year. Although S. 772 would impose new reporting requirements upon the SBA, the work required to fulfill most of those requirements would not be significant because the SBA already collects most of the information needed in those reports.