Skip to main content
Report File
Date Issued
Submitting OIG
Small Business Administration OIG
Other Participating OIGs
Small Business Administration OIG
Agencies Reviewed/Investigated
Small Business Administration
Report Number
23-03
Report Description

This report summarizes the results of our fiscal year (FY) 2022 Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains.We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated SBA’s overall program of information security as “not effective.” We found SBA generally responded to previously identified vulnerabilities. The agency made progress in supply chain risk management and continues to be rated at the effective maturity level for incident response. However, the results of our tests show SBA continues to experience security control challenges in areas of configuration management, risk management, user access, security training, information security continuous monitoring, and contingency planning.Based on tests of seven information systems, we determined the results of each domain as follows:1. Risk management: Defined2. Supply chain risk management: Defined3. Configuration management: Defined4. Identity and access management: Defined5. Data protection and privacy: Consistently implemented6. Security training: Ad hoc7. Information security continuous monitoring: Consistently implemented8. Incident response: Managed and measurable9. Contingency planning: Consistently implementedRatings of defined, ad hoc, and consistently implemented are below the baseline for an effective security program.In addition to two open FISMA recommendations from prior years, we made six recommendations for improvements in six of the nine domains: risk management, supply chain risk management, identity and access management, information system continuous monitoring, security training, and contingency planning.SBA management agreed with all six recommendations and outlined corrective action plans to address identified vulnerabilities.

Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
6
Questioned Costs
$0
Funds for Better Use
$0

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
1 Yes $0 $0

Design and implement a quality assurance program to ensure that SBA system hardware inventory is maintained as required by the National Institute of Standards and Technology (NIST) Special Publication 800-53.

2 Yes $0 $0

Implement a process to ensure SBA reviews its external service providers for supply chain risks and ensure all assessments of supply chain risks are documented as outlined in NIST 800-53.

3 Yes $0 $0

Communicate and reinforce to program offices the requirement to review and remove system and user accounts in accordance with SOP 90 47 6.

5 Yes $0 $0

Develop, document, and implement a process that requires management review of information security data and report information security threats.

Small Business Administration OIG

United States