HR-4668-115
Placed on the Union Calendar, Calendar No. 502.
What it does
This bill would amend the Small Business Act to require the Small Business Administration (SBA), working with the Department of Commerce, to create a central cybersecurity assistance unit and a cybersecurity assistance unit inside every Small Business Development Center (SBDC) across the country. These units would serve as the official point of contact for small businesses to both receive information about cyber threats and share threat data with the federal government.
Who benefits
Small businesses (defined under the Small Business Act) that lack dedicated IT or cybersecurity staff would gain a free, accessible resource for cyber threat information and guidance. Small Business Development Centers, which are already spread across the country, would receive a new cybersecurity function. Federal agencies would benefit from a structured channel to collect cyber threat data from the private sector.
Who is hurt
Private cybersecurity firms and consultants that currently sell services to small businesses could see reduced demand if the free government units are viewed as substitutes. Small businesses that share threat data with the federal government could face privacy or competitive risks if that data is not adequately protected. Taxpayers would bear the cost of staffing and operating the new units, though the bill does not specify a funding amount.
Supporters argue
Supporters argue that small businesses are frequent targets of cyberattacks but rarely have the resources to defend themselves or to navigate complex federal cybersecurity programs. By embedding assistance units inside the existing SBDC network — a familiar, trusted, and geographically distributed infrastructure — the bill would lower the barrier for small businesses to access threat intelligence and report incidents. Proponents contend that stronger small business cybersecurity reduces systemic risk across supply chains, since small firms often serve as vendors or contractors to larger companies and government agencies. Centralizing the information-sharing function, they argue, would also help federal agencies build a more complete picture of the national cyber threat landscape.
Opponents argue
Opponents argue that creating new government units inside SBDCs duplicates cybersecurity resources that already exist through agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), which already publish small business guidance. Critics contend that a government-run assistance model may be slower to adapt to rapidly evolving cyber threats than private-sector alternatives, and that small businesses sharing sensitive threat data with the federal government raises legitimate concerns about how that data would be stored, used, and protected. Skeptics also question whether the bill provides sufficient funding and technical expertise to make the units effective, warning that underfunded units could create a false sense of security without delivering meaningful protection.
Constitutional context
The bill operates under Congress's Commerce Clause authority (Art. I, Sec. 8) to regulate interstate commerce, as cybersecurity threats affecting small businesses have clear interstate and international dimensions. The bill's information-sharing mechanism — where businesses share threat data with the federal government — implicates the Fourth Amendment's protections against unreasonable searches and seizures, as interpreted in Carpenter v. United States (2018), which held that the government's collection of digital data can constitute a search requiring a warrant. The First Amendment's protections for editorial and expressive discretion, addressed in Moody v. NetChoice (2024), are less directly relevant here but could arise if the government's role in curating or disseminating threat information were challenged. The Supremacy Clause is relevant to the extent the bill's framework could preempt state-level cybersecurity or data-sharing laws.
Checks and balances
The bill expands executive branch authority by directing the SBA and the Department of Commerce to create and operate new administrative units. Congress retains oversight through its appropriations power and the requirement that the SBA act "in coordination with" Commerce, preventing either agency from acting unilaterally. No new judicial or independent review mechanism is established by the bill's text.
Historical precedent
The Cybersecurity Information Sharing Act of 2015 (CISA 2015) established a similar framework for voluntary cyber threat information sharing between private entities and the federal government, providing a direct legislative predecessor to this bill's information-sharing mechanism.