The Small Business Administration (SBA) Office of Inspector General (OIG) released its report on management and performance challenges for fiscal year (FY) 2022, which includes highlighting “significant” challenges in IT investment, system development, and security controls.
The Top Management and Performance Challenges Facing the SBA in FY2022 is a report required by the Reports Consolidation Act of 2000. According to the IG, SBA has faced new challenges due to the COVID-19 pandemic and faced major challenges before the pandemic in managing financial lending programs, IT, and other areas.
The OIG detailed the need for SBA to invest in IT upgrades, in part because of the COVID-19 pandemic, but also stated that the agency has struggled with big, high-dollar IT projects over the past decade. Among these IT investments include the Certify system, which is a system to boost small business access to SBA contracting and assistance programs.
However, in July 2020, OIG found that the project lacked planning and performance oversight during development. SBA has taken steps to improve oversight of beta.Certify.gov, but still needs to improve several management areas, including baseline reviews and completing functionality. SBA expects to have these efforts complete by the end of 2021, with OIG monitoring the progress.
On the system development front, OIG found that “existing policy dates to 2009 and does not fully address changes in the IT development landscape, including extensive use of third-party application service providers.”
“The agency must produce a System and Organization Controls Report, commonly known as a SOC 1, to validate financial controls have been properly designed and tested,” wrote OIG. “To meet the challenges of rapidly delivering financial assistance and reduce risks, the agency must update its guidance for purchasing and related system development to validate essential controls exist before an application may be placed in production.”
Additionally, continuous monitoring procedures should be put in place over production activities to address potential security vulnerabilities.
Lastly, OIG says that SBA needs to make additional progress on security controls. FISMA requires IGs to assess information security program effectiveness on a maturity model spectrum and assess security capability in eight domains. The benchmark for an effective program is level 4, “Managed and Measurable,” which SBA continues to achieve in the area of incident response.
However, SBA is at level 2 “Defined” or level “Consistently Implemented” in the remaining seven areas. This has led SBA to be at an overall “not effective” level. SBA continues to make progress toward an “effective” level under FISMA.
According to OIG, SBA continues to experience security challenges in user access, configuration management, and security training. The agency has made progress in automated security control testing and protection of personal identifiable information, but needs improvement in risk management and configuration management controls; needs to update authorizations to operate for systems to correct vulnerabilities; improve tracking of plans of action and milestones; update software and hardware inventories; and address challenges in the areas of access control and security training.