H.R. 4491

119th CONGRESS 1st Session

To require the Administrator of the Small Business Administration to implement certain recommendations relating to information technology modernization, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES · July 17, 2025 · Sponsor: Mr. Cisneros · Committee: Committee on Small Business

Table of contents

• H.R. 4491
  • SEC. 1. Short title
  • SEC. 2. Implementation of recommendations relating to information technology modernization for the Small Business Administration

SEC. 1. Short title

• This Act may be cited as the SBA IT Modernization Reporting Act.

SEC. 2. Implementation of recommendations relating to information technology modernization for the Small Business Administration

• (a) In general
  • The Administrator of the Small Business Administration, acting through the Chief Information Officer of the Administration, shall take such actions as may be necessary to implement the recommendations contained in the report of the Comptroller General of the United States titled (GAO–25–106963; published November 6, 2024). IT MODERNIZATION: SBA Urgently Needs to Address Risks on Newly Deployed System
• (b) Implementation plan
  • Not later than 180 days after the date of the enactment of this Act, the Administrator shall submit to the Committee on Small Business of the House of Representatives and the Committee on Small Business and Entrepreneurship of the Senate an implementation plan detailing the actions the Small Business Administration will undertake to establish and implement policies and procedures to govern information technology modernization projects of the Administration. Such policies and procedures shall, with respect to each project—
    • for each risk identified, explicitly state the source of such risk in the relevant risk documentation;
    • clearly define risk parameters;
    • establish and maintain risk management strategies;
    • identify and document risks for all phases of the life cycle;
    • evaluate, categorize, and prioritize risks based on defined risk parameters and develop project risk management plans;
    • connect measures to mitigate risk to risk mitigation plans;
    • require that any information technology acquisition plan and any strategic plan contains information needed to manage cyber risks;
    • require that a traceability analysis is performed and documented;
    • require that security-related subject matter experts are involved in selection process for contractors for a project;
    • develop master schedules using the guidelines contained in the publication of the Comptroller General titled (GAO–16–89G; published December 22, 2015); and GAO Schedule Assessment Guide: Best Practices for Project Schedules
    • develop cost estimates using the guidelines contained in the publication of the Comptroller General titled (GAO–20–195G; published March 12, 2020). Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs
• (c) Additional requirements
  • The implementation plan required by this section shall include the actions required to carry out the requirements listed in paragraphs (1) through (11) of subsection (b), an identification of the office of the Administration responsible for implementation, and the timelines for completion of each action.
• (d) Briefing required
  • Not later than 30 days after the submission of the implementation plan required under this section, the Administrator shall provide to the Committee on Small Business of the House of Representatives and the Committee on Small Business and Entrepreneurship of the Senate a briefing on the plan.