Monday, March 1, 2021

S 161 Introduced – SECURE Small Business Act

Last month Sen Cortez-Masto introduced S 161, the Strengthening and Enhancing Cybersecurity Usage to Reach Every (SECURE) Small Business Act. The bill would require the Small Business Administration (SBA) to “establish a program to assist small business concerns with purchasing cybersecurity products and services” {§3(a)}.


Section 2 of the bill provides definitions of the following key terms:

• Administrator,

• Covered Industry Sector,

• Covered Vendor,

• Cybersecurity,

• Cybersecurity Threat, and

• Small Business Concern

The term ‘Cybersecurity Threat’ is defined as “the possibility of a malicious attempt to infiltrate, damage, disrupt, or destroy computer networks or systems” {§2(5)}.

The term ‘Covered Sector’ includes 10 of the 16 Critical Infrastructure Sectors defined under Presidential Policy Directive #21. It does not include the Chemical or Energy Sectors.

The definition of ‘Covered Vendor’ specifically includes “cybersecurity risk insurance” {§2(3)}.

Cooperative Market Place

A key portion of the program required under this bill would be the establishment of the “Cooperative Marketplace For Purchasing Cybersecurity Products And Services” {§3(c)}. The Cooperative Marketplace would facilitate the “creation of mutual agreements under which small business concerns cooperatively purchase cybersecurity products and services from covered vendor” {3(c)(1)(B)}. The CM would be free to use for small businesses and covered vendors.

GAO Study

The bill would also require the Government Accountability Office to conduct a study on existing Federal cybersecurity initiatives that “train small business concerns how to avoid cybersecurity threats” {§4(a)(1)}. The GAO would be required to provide a report to Congress within one year of the enactment of the bill.

Moving Forward

Cortez-Masto is not a member of the Senate Small Business and Entrepreneurship Committee to which this bill was assigned for consideration. Both of her cosponsors {Sen Risch (R,ID) and Sen Rosen (D,NV), however, are members. This means that there should be adequate influence available to have this bill considered in Committee. I see nothing in the language of this bill that would engender any significant opposition.

The bill should receive bipartisan support if it is considered by the Committee. If this bill makes it to the floor of the Senate, it will most likely be considered under the Senate’s unanimous consent process; the bill is not important enough to be considered under the normal debate/amend process.


First off, the failure to include the Chemical and Energy sectors in the definition of the ‘Covered Sector’ bothers me. Both sectors have numerous small business concerns that form important pieces of the supply chains larger companies. The cybersecurity of those small businesses deserves the same coverage as the listed sectors in the bill. I would suggest changing the definition in §2(2) to read:

(2) COVERED INDUSTRY SECTORS.—The term “covered industry sectors” means those critical infrastructure sectors defined in  Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience or successor documents,

The definition of ‘Cybersecurity Threat’ is weak and looks to exclude the threat to industrial control systems and Internet-of-Things systems that are forming an increasingly threatened portion of the cyber landscape. A better choice would have been to use the definition from 6 USC 1501 since that definition is based on the ICS inclusive definition of ‘Information System’ in the same section. Thus, I would change §2(5) to read:

(5) CYBERSECURITY THREAT.—The term “cybersecurity threat” as that term is defined in 6 USC 1501,

No comments:

/* Use this with templates/template-twocol.html */