Federal Reports

The Federal Information Security Modernization Act (FISMA) requires that the Office of Inspector General (OIG) reviews the Small Business Administration’s (SBA’s) information security program. To determine SBA’s compliance with FISMA, OIG contracted with an independent public accountant, KPMG, to perform review procedures relating to FISMA. OIG monitored KPMG’s work and reported SBA’s compliance with FISMA in the Agency FISMA filings in October 2018. We also assessed the Agency’s progress in implementing open recommendations and compared our current year assessment with our fiscal year 2017 FISMA evaluation. In addition to the 5 open FISMA recommendations noted in appendix II, OIG made 18 new recommendations to address FISMA-related vulnerabilities. SBA fully agreed with all 18 recommendations.

When evaluating options for new information technology (IT) deployments, agencies are required to default to cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists. Cloud computing allows users to access and use shared data and computing services. The cloud also provides users access to resources without agencies having to build additions to their infrastructure. Our evaluation identified that the Small Business Administration (SBA) needs to improve its cloud migration and oversight controls in risk management, security, data mobility, and IT investments to meet federal guidance and standards. Our scope included SBA’s cloud systems inventory, as well as SBA’s cloud migration efforts and oversight from fiscal years 2017 through 2018. We provided eight recommendations to improve SBA’s cloud migration and oversight efforts. SBA management fully agreed with four recommendations and partially agreed with four recommendations. We found that the planned corrective actions resolved each of the eight recommendations.

The U.S. Department of Housing and Urban Development (HUD), Office of Inspector General audited Bank of America because it has released more than 47,000 Federal Housing Administration (FHA)-insured loans into the Distressed Asset Stabilization Program (DASP) note sales program. Since its inception, DASP has facilitated the sale of more than 108,000 FHA loans, which means that Bank of America accounts for nearly half of the entire program. This is the fourth in a series of audits on DASP. The first three audits (2017-KC-0006, 2017-KC-0010, and 2018-KC-0003) examined HUD and focused on the program’s requirements, processes, controls, and oversight. Our audit objective for this audit was to determine whether Bank of America properly followed all loss mitigation requirements for loans released into DASP.We found that Bank of America followed the loss mitigation requirements for all of the loans we reviewed. For those loans without a completed loss mitigation process, the main reasons loss mitigation was not performed related to a lack of homeowner participation or homeowner documentation.This report contains no recommendations.

Quarterly Summary Memorandum for the Lead Inspector General, Department of Defense