OIG is required by the Federal Information Security Management Act to assess SBA’s information security program every year. In FY 2020, SBA had an unprecedented volume of loan and grant applications because of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and other related pandemic legislation. As a result, the agency experienced new information security challenges. We tested a subset of systems in eight areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum. We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the eight domains. Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Configuration Management—Defined3. Identity and Access Management — Consistently Implemented4. Data Protection and Privacy — Consistently Implemented5. Security Training — Defined6. Information Security Continuous Monitoring — Defined7. Incident Response — Managed and Measurable8. Contingency Planning — Consistently Implemented. We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.
Report File
Date Issued
Submitting OIG
Small Business Administration OIG
Other Participating OIGs
Small Business Administration OIG
Agencies Reviewed/Investigated
Small Business Administration
Report Number
21-17
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
10
Questioned Costs
$0
Funds for Better Use
$0