Federal Reports

We reviewed the U.S. Department of Agriculture’s (USDA) National Bio and Agro-Defense Facility (NBAF) in Manhattan, Kansas. The audit was performed to evaluate the implementation of physical security controls at NBAF. We reviewed relevant documents and interviewed officials responsible for NBAF’s physical security. Our audit generally covered fiscal year 2023 through the first quarter of fiscal year 2024.

This report summarizes the results of our fiscal year 2024 Federal Information Security Modernization Act (FISMA) evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security program. Our objectives were to determine whether SBA complied with FISMA and assessed the maturity of controls used to address risks in each of the nine security domains.

We found SBA generally responded to previously identified vulnerabilities and made progress in one of the nine domains, in the area of security training. The agency met the baseline in the area of incident response but fell below the baseline for an effective security program in several areas. We rated SBA’s overall information security program as “not effective.”

This fiscal year there are seven new recommendations for improvement. There are 11 open recommendations from 3 prior evaluations. Repeat recommendations from prior years were not included in this report because they have not yet been implemented. The agency successfully closed four recommendations from fiscal year 2023. SBA managers agreed with six recommendations and partially agreed with one. Their corrective actions resolved all the recommendations.

The audit objectives were to determine whether program funds were managed in accordance with the ARC and Federal grant requirements.