Summary

Requires the Small Business Administration (SBA), through its Chief Information Officer, to implement the recommendations in GAO report GAO–25–106963 on IT modernization risks and to submit an implementation plan to congressional small business committees within 180 days of enactment. The plan must spell out 11 specific risk-management and project-planning practices, identify the SBA office responsible for each action, include timelines, and the Administrator must brief the same committees within 30 days after submitting the plan. The legislation does not appropriate funds.

• Directs SBA to implement GAO report GAO–25–106963 recommendations on IT modernization risks.
• SBA must submit an implementation plan to two congressional committees within 180 days of enactment.
• The plan must address 11 specific risk-management and project-planning practices (risk ID, tolerances, life-cycle risk, prioritization, mitigation linkage, cyber risk in acquisition, traceability, SME involvement, GAO schedule and cost guidance).
• The plan must identify the responsible SBA office for each action and provide timelines for completion.
• Administrator must brief the House and Senate small business committees within 30 days after plan submission.
• No new funding is authorized or appropriated by the legislation.
• Affects SBA IT governance and acquisition practices, with implications for contractors and the agency’s IT workforce.
• Aims to strengthen project planning, cost and schedule estimating, and cybersecurity considerations for SBA IT modernization efforts.