Small Business Administration (SBA) Deputy CIO Guy Cavallo assured members of the House Small Business Subcommittee on Investigations, Oversight, and Regulations today that cybersecurity at SBA is much stronger than metrics like those reflected in the FITARA scorecard may lead them to believe.
While subcommittee members raised concerns with SBA’s ‘D’ score on cybersecurity, Cavallo explained that the agency’s cyber preparedness goes far beyond the criteria of the scorecard. The deputy CIO said at a July 22 hearing that SBA is working with the Department of Homeland Security (DHS) on several cybersecurity pilots because “DHS has included us as being one of their prime agencies that they go to on how best to do cyber.”
Since April 2018, according to Cavallo, SBA’s security team alongside DHS has taken down 1,380 malicious websites uncovered by stopping phishing attempts into the agency. DHS has also selected SBA to pilot critical cybersecurity efforts, including implementing the Continuous Diagnostics and Mitigation (CDM) program in a cloud-based solution, which Cavallo said demonstrates the high level of security in SBA systems.
“One of the most significant benefits of moving to the cloud has been the tremendous improvements in our cybersecurity protections,” Cavallo added. He said that SBA now has “full visibility” into all attempts to access the network, and agency development teams build security into its solutions from the get-go.
Cavallo also reminded members of the subcommittee that SBA has one of the top overall FITARA scores. Despite that reassurance, members requested continued modernization efforts at the agency, and an explanation from Cavallo on the March data exposure that occurred via an SBA loan portal.
In March, a human error in SBA’s Economic Injury Disaster Loan application portal left personally identifiable information of small business owners exposed. When asked about the incident, Cavallo was quick to clarify, “We did not suffer a data breach, we suffered a data exposure. The big difference is that there was no data break in, any download of data.”
Cavallo said that SBA has been able to recover and continue its modernization efforts, but subcommittee Chairwomen Rep. Judy Chu, D-Calif., still called for more to be done.
“Ineffective IT systems have been a persistent problem at SBA,” she said. “While significant progress has been made to upgrade the systems in recent years, the magnitude of the pandemic has demonstrated the need for more modern systems that are safer, faster, and more efficient at delivering services to America’s small businesses.”
Rep. Chu recognized that SBA has been able to quickly increase bandwidth to address the mass influx of new users on its portals, but said that system weaknesses that caused the portals to initially crash should’ve been addressed prior to the pandemic. “The agency cannot rely on a system that is incapable of meeting high demand in a crisis,” she said.
Ranking Member Rep. Ross Spano, R-Florida, added, “As the SBA continues to invest in new technologies, it’s imperative that the agency ensures that the investment was worth it, that the outcome achieves the intended goals.”
Cavallo defended the agency’s modernization and pandemic-related efforts. “Over the past three and a half years, we have implemented the necessary building blocks to deliver and accelerate our IT modernization,” he said. “That foundation includes a reliable network infrastructure and leveraging the power of the cloud.”
SBA has also adopted tools such as the CIO Council’s application rationalization playbook to help guide modernization decisions, Cavallo said, and most of the agency’s newly developed working capital fund will go toward modernizing its systems.