S 3024 Introduced – Small Business Cybersecurity Support

Last week Sen. Vitter (R,LA) introduced S 3024, Small Business Cyber Security Improvements Act of 2016. The bill would amend 15 USC 648 to add cybersecurity services to those currently offered by Small Business Development Centers (SBDCs).

SBDC Changes

Section 2 of the bill would add “providing access to external cyber security specialists to counsel, assist, and inform small business concerns”, to the list of possible services provided by SBDCs under §648(c).

Section 3 of the bill would add a provision to §648(a) that would allow DHS to “provide assistance to small business development centers, through the dissemination of cyber security risk information and other homeland security information, to help small business concerns in developing or enhancing cyber security infrastructure, cyber threat awareness, and cyber training programs for employees”.

Section 4 would require a GAO study of current GAO cybersecurity resources. It would also require the Administrator of the Small Business Administration (SBA) to develop a cybersecurity strategy for the SBDCs.

Moving Forward

Vitter’s bill was reported out of the Senate Small Business and Entrepreneurship Committee last week without amendment or written report. This is not unexpected since Vitter is the Chair of that Committee. It remains to be seen if Vitter can get this bill before the full Senate before the summer recess in the middle of July. Lacking that I do not expect that the bill would be considered by the Senate.

If the bill does make it to the floor, it will probably be considered under the unanimous consent provisions at the end of a day. There is little or nothing that would bring any objections from the floor.

Commentary

The cybersecurity language in this bill is the most neutral language that I have seen, never mentioning either information technology or control system technology or any of their code words. So the bill would theoretically allow the SBDCs to provide control system security support as part of this program. The difference, however, between allowing such support and actually providing such support is quite large. I really would not expect most centers to provide ICS security support.