SBA IT Modernization Reporting Act
Summary
What This Bill Does
The SBA IT Modernization Reporting Act responds to GAO report GAO-25-106963, titled IT MODERNIZATION: SBA Urgently Needs to Address Risks on Newly Deployed System, published November 6, 2024. It requires the Small Business Administration Administrator, acting through the SBA Chief Information Officer, to take the actions necessary to implement that report's recommendations. Within 180 days after enactment, SBA must send the House Small Business Committee and Senate Small Business and Entrepreneurship Committee an implementation plan for policies and procedures governing SBA information technology modernization projects.
The plan must cover 11 specific policy areas for each IT modernization project. SBA must document the source of each identified risk, define risk parameters, maintain risk-management strategies, identify and document risks through all life-cycle phases, evaluate and prioritize risks using defined parameters, connect mitigation measures to mitigation plans, include cyber-risk management information in IT acquisition plans and strategic plans, perform and document traceability analysis, involve security-related subject-matter experts in contractor selection, build master schedules using GAO's Schedule Assessment Guide, and build cost estimates using GAO's Cost Estimating and Assessment Guide. The implementation plan must identify the responsible SBA office and timelines for each action, and SBA must brief the committees within 30 days after submitting the plan.
Who Benefits and How
Small businesses relying on SBA loan systems, disaster-assistance applicants, SBA lenders using agency technology, SBA program offices depending on modernized IT, congressional oversight staff, federal IT accountability advocates, cybersecurity subject-matter experts, IT modernization contractors, schedule-estimation specialists, cost-estimation specialists, and risk-management consultants benefit because the bill forces SBA to translate GAO findings into project-level controls, public timelines, responsible offices, and congressional briefings.
Who Bears the Burden and How
The Small Business Administration, SBA Administrator, SBA Chief Information Officer, SBA IT modernization project managers, SBA cybersecurity staff, SBA acquisition officials, SBA contractor-selection officials, SBA risk-management staff, SBA schedule managers, SBA cost-estimation staff, IT contractors providing services to SBA, House Small Business Committee staff, and Senate Small Business and Entrepreneurship Committee staff must comply with risk documentation, cyber-risk planning, traceability analysis, security-expert participation, GAO schedule and cost guides, responsible-office assignments, timelines, and congressional briefing requirements.
Key Provisions
- Requires SBA to implement GAO's November 2024 IT modernization recommendations.
- Requires a 180-day implementation plan for SBA IT modernization policies and procedures.
- Requires explicit risk-source documentation, risk parameters, life-cycle risk tracking, prioritization, and mitigation-plan links.
- Requires IT acquisition and strategic plans to include information needed to manage cyber risks.
- Requires traceability analysis and security subject-matter expert involvement in contractor selection.
- Requires master schedules using GAO Schedule Assessment Guide practices and cost estimates using GAO Cost Estimating and Assessment Guide practices.
- Requires SBA to identify responsible offices, timelines, and a congressional briefing within 30 days after the implementation plan.
Evidence Chain:
This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.
At a Glance
What This Bill Does
Requires SBA to implement GAO's November 2024 IT modernization recommendations, establish detailed risk-management, cybersecurity, scheduling, contractor-selection, traceability, and cost-estimation policies for IT modernization projects, submit a 180-day implementation plan, and brief Congress within 30 days after the plan.
Key Policy Areas
Small Business Administration, Information Technology, Government Oversight, Cybersecurity
Primary Purpose
Requires SBA to implement GAO's November 2024 IT modernization recommendations, establish detailed risk-management, cybersecurity, scheduling, contractor-selection, traceability, and cost-estimation policies for IT modernization projects, submit a 180-day implementation plan, and brief Congress within 30 days after the plan.
Policy Domains
Substantive provisions
Identified Gains
- Small businesses relying on SBA loan systems
- Disaster-assistance applicants
- SBA lenders using agency technology
- SBA program offices depending on modernized IT
- Congressional oversight staff
- Federal IT accountability advocates
- Cybersecurity subject-matter experts
- IT modernization contractors
- Schedule-estimation specialists
- Cost-estimation specialists
- Risk-management consultants
Identified Costs
- Small Business Administration
- SBA Administrator
- SBA Chief Information Officer
- SBA IT modernization project managers
- SBA cybersecurity staff
- SBA acquisition officials
- SBA contractor-selection officials
- SBA risk-management staff
- SBA schedule managers
- SBA cost-estimation staff
- IT contractors providing services to SBA
- House Small Business Committee staff
- Senate Small Business and Entrepreneurship Committee staff
Sponsors
Legislative Progress
Passed HouseReceived; read twice and referred to the Committee on Small …
Received in the Senate and Read twice and referred to …
Passed House (inferred from eh version)
Mr. Williams (TX) moved to suspend the rules and pass …
Motion to reconsider laid on the table Agreed to without …
On motion to suspend the rules and pass the bill …
Passed/agreed to in House: On motion to suspend the rules …
DEBATE - The House proceeded with forty minutes of debate …
Considered under suspension of the rules. (consideration: CR H4913-4914)
Committed to the Committee of the Whole House on the …
Stakeholder Effects
cui bono?How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.
House Small Business Committee staff, SBA Chief Information Officer, SBA IT modernization project managers
Positive-direction: House Small Business Committee staff, Senate small-business committee staff
Negative-direction: SBA Chief Information Officer, SBA IT modernization project managers, SBA contractor-selection officials, SBA cybersecurity staff, Small Business Administration
Disaster-assistance applicants, Small businesses relying on SBA loan systems
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
- "cio"
- → Small Business Administration Chief Information Officer
- "sba"
- → Small Business Administration
- "gao_report"
- → GAO-25-106963 IT modernization report
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology