| 1 |
Yes |
$0 |
$0 |
|
|
Complete the implementation of a new governance risk and compliance tool to assist in the timely completion of SBA’s annual security control assessments in coordination with the Office of the Chief Financial Officer.
|
| 2 |
Yes |
$0 |
$0 |
|
|
Update SBA policy and procedures to clearly define the term “annual” and specify whether it refers to a period of 365 days or aligns with the fiscal year ending on September 30.
|
| 3 |
Yes |
$0 |
$0 |
|
|
Ensure the agency follows the policy to perform security control assessments annually, either on a rolling 365-day basis or aligned with the fiscal year ending on September 30.
|
| 4 |
Yes |
$0 |
$0 |
|
|
Update the SBA Standard Operating Procedure (SOP) 20 21 4, The Small Business Administration Acquisition and Procurement Program, January 16, 2025, Appendix C — Cybersecurity and Supply Chain Risk for IT Acquisitions, to reflect the new process in which third-party supply chain risks will be continuously monitored through the Office of the Chief Information Officer.
|
| 5 |
Yes |
$0 |
$0 |
|
|
Implement policies, procedures, and processes for developing and maintaining an accurate inventory of data and its corresponding metadata from third parties.
|
| 6 |
Yes |
$0 |
$0 |
|
|
Improve the governance, risk, and compliance systems to track cybersecurity risks.
|
| 7 |
Yes |
$0 |
$0 |
|
|
Develop and implement a process to monitor program offices’ completion of required annual reviews of interconnection security agreements and ensure program officials review and sign the agreements prior to their expiration.
|
| 8 |
Yes |
$0 |
$0 |
|
|
Improve the existing process to manage personal identity verification exemptions.
|
| 9 |
Yes |
$0 |
$0 |
|
|
Ensure that system owners perform annual privileged user access reviews in accordance with SBA policies.
|
| 10 |
Yes |
$0 |
$0 |
|
|
Provide system owners and individuals with training or other communication emphasizing requirements for approving privileged user access prior to granting access.
|
| 11 |
Yes |
$0 |
$0 |
|
|
Ensure program offices review all system security plans and confirm they are updated, approved, and signed annually by the system owner, information systems security officer, and the information systems security manager.
|
| 12 |
Yes |
$0 |
$0 |
|
|
Document procedures, roles, and responsibilities for performing an annual functional test to ensure that the alternative backup site keeps the system operational in accordance with SBA policy and procedures.
|
| 13 |
Yes |
$0 |
$0 |
|
|
Annually perform functional testing to include failover testing in accordance with SBA policy and procedures.
|
| 14 |
Yes |
$0 |
$0 |
|
|
Establish procedures to monitor program officials’ compliance with SOP 90 47 6, Cybersecurity and Privacy Policy, requirements to ensure information system contingency plans are developed, tested annually, and updated as needed.
|
| 15 |
Yes |
$0 |
$0 |
|
|
Review and update the information system contingency plans and business impact assessments and ensure that key attributes are included.
|
| 16 |
Yes |
$0 |
$0 |
|
|
Update the information system contingency plans and business impact assessments at least once a year and include the recovery priority and lessons learned.
|
| 17 |
Yes |
$0 |
$0 |
|
|
Conduct the information system contingency plans to include a business impact assessment at least annually.
|
