The Small Business Administration (SBA) resolved 11 recommendations for improvement after the agency’s Office of the Inspector General (OIG) determined that SBA’s information security procedures did not, overall, meet Federal Information Security Modernization Act (FISMA) reporting metrics, the OIG said.
Despite earning mid-level rankings on the information security maturity model spectrum, OIG concluded that SBA’s overall program was “not effective per the evaluation criteria set forth by the FY 2019 Inspector General FISMA Reporting Metrics.” OIG commended improvements in cybersecurity oversight, but added that “SBA needs to proactively update and implement security operating procedures and address the new vulnerabilities identified.”
Ultimately, OIG issued 11 recommendations in three key areas: plan of action and milestone remediation, baseline configuration, and session lockout settings. In a March 12 response to the audit, CIO Maria Roat said that the OCIO would “diligently pursue robust and adaptive cybersecurity visibility, defense, detection, and response capabilities across the enterprise.”
By the March 30 publication of the OIG report, all recommendations were marked as resolved.