This report summarizes the results of our fiscal year (FY) 2022 Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains.We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated SBA’s overall program of information security as “not effective.” We found SBA generally responded to previously identified vulnerabilities. The agency made progress in supply chain risk management and continues to be rated at the effective maturity level for incident response. However, the results of our tests show SBA continues to experience security control challenges in areas of configuration management, risk management, user access, security training, information security continuous monitoring, and contingency planning.Based on tests of seven information systems, we determined the results of each domain as follows:1. Risk management: Defined2. Supply chain risk management: Defined3. Configuration management: Defined4. Identity and access management: Defined5. Data protection and privacy: Consistently implemented6. Security training: Ad hoc7. Information security continuous monitoring: Consistently implemented8. Incident response: Managed and measurable9. Contingency planning: Consistently implementedRatings of defined, ad hoc, and consistently implemented are below the baseline for an effective security program.In addition to two open FISMA recommendations from prior years, we made six recommendations for improvements in six of the nine domains: risk management, supply chain risk management, identity and access management, information system continuous monitoring, security training, and contingency planning.SBA management agreed with all six recommendations and outlined corrective action plans to address identified vulnerabilities.
| Report Date | Agency Reviewed / Investigated | Report Title | Type | Location | |
|---|---|---|---|---|---|
| Small Business Administration | FY 2022 Federal Information Security Modernization Act Review | Inspection / Evaluation | Agency-Wide | View Report | |
| Consumer Product Safety Commission | CPSC Penetration Test 2022 | Inspection / Evaluation | Agency-Wide | View Report | |
| Federal Deposit Insurance Corporation | Security Controls Over the FDIC's Wireless Networks | Review | Agency-Wide | View Report | |
| Department of Labor | FY 2022 Independent Auditors' on DOL's Consolidated Financial Statements Report | Audit | Agency-Wide | View Report | |
| Office of Personnel Management | Audit of the Federal Employees Health Benefits Program Operations at GlobalHealth, Inc. | Audit | Agency-Wide | View Report | |
| Office of Personnel Management | Audit of Cash Management Activities and Aging Refunds for a Sample of BlueCross and/or BlueShield Plans | Audit | Agency-Wide | View Report | |
| Office of the Director of National Intelligence | Office of the Inspector General of the Intelligence Community Semiannual Report, April 2022-September 2022 | Semiannual Report | Agency-Wide | View Report | |
| U.S. Agency for International Development | Financial Audit of USAID Resources Managed by Project HOPE Namibia Under Multiple Awards, January 1 to December 31, 2021 | Other |
|
View Report | |
| U.S. Agency for International Development | USAID OIG Semiannual Report to Congress: April 1, 2022- September 30, 2022 | Semiannual Report | Agency-Wide | View Report | |
| National Labor Relations Board | Management Letter, NLRB Fiscal Year 2022 Financial Statement Audit | Audit | Agency-Wide | View Report | |
