The Small Business Administration (SBA) must do more to improve its IT investment controls, system development and monitoring controls, and security controls, according to a new report from the SBA Office of Inspector General (OIG).
The report identifies top management challenges facing the SBA for fiscal year (FY) 2023, but many of the IT recommendations are the same from last year’s FY2022 report. The OIG acknowledged that some progress has been made to address last year’s challenges, but said it is still seeing limited progress in some key IT areas.
The first challenge still facing the SBA is the need for improving the agency’s IT investment controls. The SBA Business Technology Investment Council (BTIC) is tasked with overseeing significant IT investments and controls, yet the OIG found the council has not had a meeting in over a year.
“Although the SBA BTIC is the principal governance body in managing SBA IT investments, it appears the most recent board meeting was on September 15, 2021,” the report says. “Past BTIC minutes showed limited vetting and oversight of third-party system contracts and related system development activities. BTIC minutes show limited evidence of project performance oversight on IT investments in the last 2 years.”
OIG said the BTIC should be involved for the whole life of IT projects and investments, helping to keep SBA accountable and get the most out of its investments.
The second challenge still facing the SBA is that existing system development and monitoring controls need to reflect changing IT design risks.
Over the past two years, SBA procured new systems from third-party service providers to deliver emergency COVID-19 disaster assistance. However, the OIG found that the agency did not conduct baseline control assessments despite the systems being subject to cyber threats, incidents, and risks.
“Our audit work found the agency allowed the third-party systems to be put into service without conducting baseline control assessments,” the report says. “With no baseline, the agency could not perform effective continuous monitoring. Also, we found that control processes did not identify, communicate, capture privacy or identity risks. These risks include identity theft, misappropriated social security numbers, and modified applicant addresses.”
The controls OIG flagged that need improvement include enterprise-wide communication of privacy and identity risks; improved coordination for system contracts and data management; oversight of third-party systems used to process transactions integral to SBA’s mission; System and Organization Controls (SOC) 1 Type 2 reports for all new and existing external financial systems; and system acceptance controls and continuous monitoring to limit security and processing risks.
This challenge area was just introduced last year, and the OIG said “the agency has made limited progress by introducing a supply chain risk management policy and updating its IT Investment Performance Baseline Management Policy.” The report says SBA should continue to establish policies that address necessary entity-wide controls and continue its oversight of IT investments and system development controls through the BTIC.
Finally, the OIG said additional progress is needed in IT security controls. Under the Federal Information Security Management Act (FISMA), inspector generals are required to “assess the effectiveness of information security programs on a maturity model spectrum and assess security capability in eight domains,” according to the report.
The current benchmark for an effective program with regards to the FISMA criteria would be a level 4, managed and measurable. However, the OIG found that the SBA has more work to do to achieve this rating across all domains.
“This evaluation of core metrics across the nine domains indicated that SBA continued to achieve level 4 in the area of incident response but is at level 2, defined, or level 3, consistently implemented, in the remaining eight areas,” the report says. “The maturity model criteria places SBA at an overall level of not effective.”
The OIG noted that SBA made progress in supply chain risk management, but could improve in “the areas of risk management, including hardware and software inventories, configuration management controls around patch management, security training and access controls particularly for administrator privileges.”