The Congressional Budget Office (CBO) released its cost estimate for the Small Business Administration (SBA) Cyber Awareness Act, H.R. 2331 and S. 772, on May 20, and said the bill would cost nothing to implement.
The legislation would require SBA to submit an annual report to Congress about the state of its IT and cybersecurity systems, how it could improve its cybersecurity posture, any IT equipment or systems SBA has that were produced by a company doing business primarily in China, and any recent cybersecurity incidents and subsequent responses. Additionally, the act would require SBA to report all cybersecurity risks and incidents to Congress as they occur, as well as notify impacted individuals and small businesses.
CBO noted that currently, SBA is required to submit an annual performance report to Congress, which must include details regarding the agency’s cybersecurity efforts. Additionally, under the Federal Information Security Modernization Act of 2014, SBA is required to report annually on IT systems and policies effectiveness.
“Although H.R. 2331 would impose new reporting requirements upon the SBA, the work required to fulfill most of those requirements would not be significant because the SBA already collects most of the information needed in those reports,” CBO noted in its report.