H.R. 2331 would require the Small Business Administration (SBA) to report annually to the Congress on the state of its information technology (IT) and cybersecurity systems, the methods it could use to improve cybersecurity, any IT equipment or systems it has that were produced by an entity doing business principally in China, and any recent cybersecurity risks or incidents and subsequent responses. H.R. 2331 also would require the SBA to report all cybersecurity risks or incidents to the Congress as they occur and to notify the individuals and small businesses affected.
Under current law, the SBA is required to submit an annual performance report to the Congress that includes information concerning agency cybersecurity efforts. In addition, the Federal Information Security Modernization Act of 2014 requires federal agencies, including the SBA, to report on the effectiveness of their information security policies and practices each year. Although H.R. 2331 would impose new reporting requirements upon the SBA, the work required to fulfill most of those requirements would not be significant because the SBA already collects most of the information needed in those reports.
On April 23, 2019, CBO transmitted a cost estimate for S. 772, the SBA Cyber Awareness Act, as ordered reported by the Senate Committee on Small Business and Entrepreneurship on April 1, 2019. The two bills are similar and CBO’s estimates of their cost are the same.