II 118TH CONGRESS 1ST SESSION S. 1458 To require the Administrator of the Small Business Administration to estab- lish a program to assist small business concerns with purchasing cyberse- curity products and services, and for other purposes. IN THE SENATE OF THE UNITED STATES MAY 4, 2023 Ms. CORTEZ MASTO (for herself and Mr. RISCH) introduced the following bill; which was read twice and referred to the Committee on Small Business and Entrepreneurship A BILL To require the Administrator of the Small Business Adminis- tration to establish a program to assist small business concerns with purchasing cybersecurity products and services, and for other purposes. Be it enacted by the Senate and House of Representa- 1 tives of the United States of America in Congress assembled, 2 SECTION 1. SHORT TITLE. 3 This Act may be cited as the ‘‘Strengthening and En- 4 hancing Cybersecurity Usage to Reach Every Small Busi- 5 ness Act’’ or the ‘‘SECURE Small Business Act’’. 6 SEC. 2. DEFINITIONS. 7 In this Act: 8 VerDate Sep 11 2014 04:21 May 13, 2023 Jkt 039200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S1458.IS S1458 pbinns on DSKJLVW7X2PROD with $$_JOB 2 •S 1458 IS (1) ADMINISTRATOR.—The term ‘‘Adminis- 1 trator’’ means the Administrator of the Small Busi- 2 ness Administration. 3 (2) COVERED INDUSTRY SECTORS.—The term 4 ‘‘covered industry sectors’’ means the following in- 5 dustry sectors: 6 (A) Accommodation and food services. 7 (B) Agriculture. 8 (C) Construction. 9 (D) Healthcare and social assistance. 10 (E) Retail and wholesale trade. 11 (F) Transportation and warehousing. 12 (G) Entertainment and recreation. 13 (H) Finance and insurance. 14 (I) Manufacturing. 15 (J) Information and telecommunications. 16 (K) Any other industry sector that the Ad- 17 ministrator determines to be relevant. 18 (3) COVERED VENDOR.—The term ‘‘covered 19 vendor’’ means a vendor of cybersecurity products 20 and services, including cybersecurity risk insurance. 21 (4) CYBERSECURITY.—The term ‘‘cybersecu- 22 rity’’ means— 23 VerDate Sep 11 2014 04:21 May 13, 2023 Jkt 039200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S1458.IS S1458 pbinns on DSKJLVW7X2PROD with $$_JOB 3 •S 1458 IS (A) the art of protecting networks, devices, 1 and data from unauthorized access or criminal 2 use; and 3 (B) the practice of ensuring the confiden- 4 tiality, integrity, and availability of information. 5 (5) CYBERSECURITY THREAT.—The term ‘‘cy- 6 bersecurity threat’’ means the possibility of a mali- 7 cious attempt to infiltrate, damage, disrupt, or de- 8 stroy computer networks or systems. 9 (6) SMALL BUSINESS CONCERN.—The term 10 ‘‘small business concern’’ has the meaning given the 11 term in section 3(a) of the Small Business Act (15 12 U.S.C. 632(a)). 13 SEC. 3. CYBERSECURITY COOPERATIVE MARKETPLACE 14 PROGRAM. 15 (a) ESTABLISHMENT.—Not later than 180 days after 16 the date of enactment of this Act, the Administrator, in 17 consultation with the Director of the National Institute 18 of Standards and Technology, shall establish a program 19 to assist small business concerns with purchasing cyberse- 20 curity products and services. 21 (b) DUTIES.—In carrying out the program estab- 22 lished under subsection (a), the Administrator shall— 23 VerDate Sep 11 2014 04:21 May 13, 2023 Jkt 039200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S1458.IS S1458 pbinns on DSKJLVW7X2PROD with $$_JOB 4 •S 1458 IS (1) educate small business concerns about the 1 types of cybersecurity products and services that are 2 specific to each covered industry sector; and 3 (2) provide outreach to covered vendors and 4 small business concerns to encourage use of the co- 5 operative marketplace described in subsection (c). 6 (c) COOPERATIVE MARKETPLACE FOR PURCHASING 7 CYBERSECURITY PRODUCTS AND SERVICES.—The Ad- 8 ministrator shall— 9 (1) establish and maintain a website that— 10 (A) is free to use for small business con- 11 cerns and covered vendors; and 12 (B) provides a cooperative marketplace 13 that facilitates the creation of mutual agree- 14 ments under which small business concerns co- 15 operatively purchase cybersecurity products and 16 services from covered vendors; and 17 (2) determine whether each covered vendor and 18 each small business concern that participates in the 19 marketplace described in paragraph (1) is legitimate, 20 as determined by the Administrator. 21 (d) SUNSET.—This section ceases to be effective on 22 September 30, 2024. 23 VerDate Sep 11 2014 04:21 May 13, 2023 Jkt 039200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S1458.IS S1458 pbinns on DSKJLVW7X2PROD with $$_JOB 5 •S 1458 IS SEC. 4. GAO STUDY ON AVAILABLE FEDERAL CYBERSECU- 1 RITY INITIATIVES. 2 (a) IN GENERAL.—The Comptroller General of the 3 United States shall conduct a study that identifies any im- 4 provements that could be made to Federal initiatives 5 that— 6 (1) train small business concerns how to avoid 7 cybersecurity threats; and 8 (2) are in effect on the date on which the 9 Comptroller General commences the study. 10 (b) REPORT.—Not later than 1 year after the date 11 of enactment of this Act, the Comptroller General of the 12 United States shall submit to the Committee on Small 13 Business and Entrepreneurship of the Senate and the 14 Committee on Small Business of the House of Representa- 15 tives a report that contains the results of the study re- 16 quired under subsection (a). 17 Æ VerDate Sep 11 2014 04:21 May 13, 2023 Jkt 039200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6301 E:\BILLS\S1458.IS S1458 pbinns on DSKJLVW7X2PROD with $$_JOB