PolicySoupstir the potALPHA

H.R. 4491 (119th)Bill Overview
Full Analysis

SBA IT Modernization Reporting Act

Commerce|Administrative remediesCommerce
Sponsor
Gilbert Ray CisnerosD
Cosponsors
Support
Bipartisan
Introduced
Jul 17, 2025
Discussions
0
Bill Text
View ↗
Current stageCommittee

Placed on the Union Calendar, Calendar No. 181.

Introduced
Committee
Floor
President
Law
Congressional Activities
01 · The brief
Plain-English summaryWhat this bill actually does

This bill directs the Administrator of the Small Business Administration (SBA), through the agency Chief Information Officer, to implement the recommendations in GAO report GAO-25-106963 ("IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System"). It requires the SBA to submit, within 180 days of enactment, an implementation plan that details policies and procedures to govern IT modernization projects, including specific requirements for risk documentation and management, cyber risk inclusion in acquisition and strategic plans, traceability analyses, involvement of security subject-matter experts in contractor selection, and use of GAO guidance for schedule and cost estimating.

Why people may split

Degree of concern about added bureaucracy versus the need for rigorous risk management—conservatives emphasize flexibility and cost, liberals emphasize security and equity.

Watch point

Relative to its intended legislative type, this bill provides a clear mandate and detailed procedural requirements for SBA IT modernization planning and requires a near-term implementation plan and briefing.

This bill directs the Administrator of the Small Business Administration (SBA), through the agency Chief Information Officer, to implement the recommendations in GAO report GAO-25-106963 ("IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System").

It requires the SBA to submit, within 180 days of enactment, an implementation plan that details policies and procedures to govern IT modernization projects, including specific requirements for risk documentation and management, cyber risk inclusion in acquisition and strategic plans, traceability analyses, involvement of security subject-matter experts in contractor selection, and use of GAO guidance for schedule and cost estimating.

The plan must identify the responsible SBA office and provide timelines for each action, and the Administrator must brief the House and Senate small business committees within 30 days after plan submission.

Passage70/100

On content alone, the bill is a narrow, technical measure that advances implementation of GAO recommendations without creating new programs or spending mandates—attributes that historically increase enactment chances. The main barriers are procedural (Senate scheduling or holds) rather than substantive opposition. Therefore, conditional on ordinary legislative processing, the bill has a good chance of enactment, though not guaranteed.

CredibilityPartially aligned

Relative to its intended legislative type, this bill provides a clear mandate and detailed procedural requirements for SBA IT modernization planning and requires a near-term implementation plan and briefing. It is strong on specifying what the implementation plan should contain and which GAO guidance to follow, but it provides limited guidance on resource implications, enforcement, follow-up oversight, and handling exceptions.

Contention30/100

Degree of concern about added bureaucracy versus the need for rigorous risk management—conservatives emphasize flexibility and cost, liberals emphasize security and equity.

02 · What it does
Full Analysis

Who stands to gain, and who may push back.

Likely benefits vs burdens50% / 50%
Small businessesLikely burdened

These are examples from the analysis, not a ranked list of the most-affected groups.

Likely helped
  • Potential benefitImproved IT governance and risk management at the SBA, which could reduce the likelihood of system failures, data breac…
  • Small businessesPotential enhancement of cybersecurity and protection of small business applicant and borrower data through required in…
  • Potential benefitMore accurate project schedules and cost estimates by requiring use of GAO best-practice guides, which could lower long…
Likely burdened
  • Potential burdenAdditional administrative and compliance burden on the SBA to develop, document, and maintain comprehensive risk manage…
  • Potential burdenPossible near-term increases in program costs if the SBA must hire additional staff, contract consultants, or invest in…
  • Potential burdenPotential for slower procurement and project start times as projects adopt more rigorous selection processes, traceabil…
03 · Why people split
Full Analysis

Why the argument around this bill splits.

Degree of concern about added bureaucracy versus the need for rigorous risk management—conservatives emphasize flexibility and cost, liberals emphasize security and equity.
Progressive85%

A mainstream liberal/left-leaning observer would generally view this bill positively as a concrete step to strengthen oversight, cybersecurity, and risk management at a federal agency that serves small businesses.

They would welcome requirements for documented risk management, cyber risk inclusion, and involvement of security experts because these reduce the likelihood of failures that could disproportionately harm underserved entrepreneurs.

However, they would be concerned about whether the SBA will receive sufficient resources to implement these best practices and whether the plan will include provisions to ensure equitable access for historically marginalized small businesses during modernization.

Leans supportive
Centrist90%

A centrist/moderate observer would likely regard the bill as a sensible, targeted requirement that implements GAO recommendations to strengthen governance of SBA IT modernization.

They would appreciate the use of established GAO guidance and clear deadlines, seeing this as improving project discipline without dramatic new policy changes.

Their primary concerns would be the feasibility of the 180-day planning deadline, clarity about resource needs and whether additional appropriations are required, and ensuring the plan balances rigor with operational flexibility.

Leans supportive
Conservative60%

A mainstream conservative observer would cautiously support efforts to reduce IT risk and improve accountability at a federal agency, especially where GAO has identified urgent weaknesses.

However, they would be wary of prescriptive federal mandates that expand paperwork and slow procurement, and would be sensitive to any implicit increase in ongoing costs or bureaucratic overhead.

They would favor preserving flexibility for agency leadership and contractors to implement improvements in a cost-effective manner, and would seek assurances that the bill does not create unfunded mandates or reduce the pace of delivering services to small businesses.

Split reaction
04 · Can it pass?
Full Analysis

The path through Congress.

Introduced

Reached or meaningfully advanced

Committee

Reached or meaningfully advanced

Floor

Still ahead

President

Still ahead

Law

Still ahead

Passage likelihood70/100

On content alone, the bill is a narrow, technical measure that advances implementation of GAO recommendations without creating new programs or spending mandates—attributes that historically increase enactment chances. The main barriers are procedural (Senate scheduling or holds) rather than substantive opposition. Therefore, conditional on ordinary legislative processing, the bill has a good chance of enactment, though not guaranteed.

Scope and complexity
24%
Scopenarrow
52%
Complexitymedium
Why this could stall
  • The bill text does not include a cost estimate or identify whether additional resources will be requested or required to meet the implementation deadlines; unknown resource needs could influence stakeholder support or prompt requests for appropriations.
  • Senate procedural dynamics and floor scheduling (holds, requests for amendments, committee priorities) are unknown and can materially affect timing and final outcome despite the bill's noncontroversial content.
05 · Recent votes

Recent votes on the bill.

No vote history yet

The bill has not accumulated any surfaced votes yet.

06 · Go deeper

Go deeper than the headline read.

Included on this page

Degree of concern about added bureaucracy versus the need for rigorous risk management—conservatives emphasize flexibility and cost, libera…

On content alone, the bill is a narrow, technical measure that advances implementation of GAO recommendations without creating new programs…

Unlocked analysis

Relative to its intended legislative type, this bill provides a clear mandate and detailed procedural requirements for SBA IT modernization planning and requires a near-term implementation plan and briefing. It is stron…

Go beyond the headline summary with full stakeholder mapping, legislative design analysis, passage barriers, and lens-by-lens tradeoff breakdowns.

Perspective breakdownsPassage barriersLegislative design reviewStakeholder impact map
Open full analysis