This report summarizes the results of our fiscal year 2023 Federal Information Security Modernization Act (FISMA) of 2014 evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security systems policies, procedures, and practices.Our objectives were to determine whether SBA complied with FISMA and assess the maturity of controls used to address risks in each of the nine security domains.There are five open recommendations from two previous evaluations. In this report, we made 11 recommendations for improvements in 6 domains: risk management, supply chain risk management, identity and access management, data protection and privacy, security training, and contingency planning. We did not repeat recommendations from previous years being implemented in the areas of risk management, supply chain risk management, and contingency planning. The agency agreed with all 11 recommendations.
Open Recommendations
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 1 | Yes | $0 | $0 | ||
| Complete the implementation of an automated solution to help ensure a complete and accurate inventory of software assets. | |||||
| 2 | Yes | $0 | $0 | ||
| Define a required frequency for updating the system inventory and implement a quality control process to validate that system inventories are updated in a timely manner. | |||||
| 3 | Yes | $0 | $0 | ||
| Update existing policy and procedures to ensure plans of action and milestones are closed only after the planned corrective actions and milestones have been implemented. | |||||
| 4 | Yes | $0 | $0 | ||
| Review the Enterprise Risk Management Framework Guide annually and update if needed. | |||||
| 5 | Yes | $0 | $0 | ||
| Develop a strategy to ensure that products, system components, systems, and services of external providers are consistent with the organization’s cybersecurity and supply chain requirements. | |||||
| 6 | Yes | $0 | $0 | ||
| Define timeframe and remediation requirements for baseline and configuration weaknesses. | |||||
| 7 | Yes | $0 | $0 | ||
| Properly update and remediate vulnerabilities and configuration weaknesses throughout the SBA environment. | |||||
| 8 | Yes | $0 | $0 | ||
| Implement a process to track and enforce compliance with PIV implementation and multi-factor requirements. | |||||
| 9 | Yes | $0 | $0 | ||
| Ensure implementation procedures for data loss prevention are updated at least on a biannual basis to reflect new processes and new requirements. | |||||
| 10 | Yes | $0 | $0 | ||
| Update existing procedures that identify the roles of individuals with significant IT responsibilities who require role-based training and ensure such training is provided and tracked. | |||||
| 11 | Yes | $0 | $0 | ||
| Provide training to individuals with contingency planning roles and responsibilities. | |||||
