The Federal Information Security Management Act requires the information security program of every agency to be evaluated each year. In FY 2021, SBA faced new information security challenges under the weight of lending huge amounts during the pandemic. In 2021, the agency had to deal with months of continued issues caused by the unprecedented volume of loan and grant applications spurred by the Coronavirus Aid, Relief, and Economic Security Act and other pandemic relief laws. We tested a subset of systems in nine areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum.We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the nine domains.Based on tests of the eight information systems, we determined the results of each domain as follows:1. Risk Management — Defined2. Supply Chain Risk Management — Ad Hoc3. Configuration Management—Defined4. Identity and Access Management — Consistently Implemented5. Data Protection and Privacy — Consistently Implemented6. Security Training — Defined7. Information Security Continuous Monitoring — Defined8. Incident Response — Managed and Measurable9. Contingency Planning — Consistently Implemented.We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.
Report File
Date Issued
Submitting OIG
Small Business Administration OIG
Other Participating OIGs
Small Business Administration OIG
Agencies Reviewed/Investigated
Small Business Administration
Report Number
22-11
Report Description
Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
10
Questioned Costs
$0
Funds for Better Use
$0
Open Recommendations
This report has 1 open recommendations.
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
2 | Yes | $0 | $0 | ||
Ensure the continuity of operations plan is tested annually, as required by Federal Continuity Directive 1. |