The Small Business Administration’s (SBA) Office of the CIO (OCIO) has made improvements in its IT controls deployment, according to a recent Office of the Inspector General (OIG) report.
The OIG noted a previous finding established by Fiscal Year 2018 Inspector General FISMA Reporting Metrics that SBA’s IT controls were “not effective.” However, SBA improved its deployment of IT controls through outstanding OIG recommendations, along with making improvements in access controls, continuous monitoring, and configuration management.
While the OCIO made progress, it still has several areas of improvement that OIG recommends it keeps working on, including: audit logging, network vulnerability management, access controls, and segregation of duties.
Elsewhere, SBA made progress in deploying Federal IT Acquisition Reform Act (FITARA) criteria. In the past year, SBA’s OICO “implemented a human resource planning process to include competency and workforce plans around IT requirements,” and as a result all FITARA workforce development standards have been fulfilled.
The OIG identified three areas of improvement for IT investment oversight and accountability, and made several recommendations to address those:
- SBA’s OCIO should develop a process to capture performance goal estimates and “actual cost savings/avoidance of IT initiatives;”
- Cloud migration decisions should require approved business cases through SBA’s IT governance boards; and
- System owners and contract officers should “ensure that cloud-services contracts specify system interoperability, portability, and data ownership.”
SBA’s OICO said it will implement controls for those areas.