The Small Business Administration (SBA) Office of the Inspector General (OIG) said in its newly released annual Federal Information Security Modernization Act (FISMA) report for Fiscal Year 2020 that SBA’s information security was “not effective” last year due in part to the COVID-19 pandemic.
According to the report, “competing priorities” during the COVID-19 pandemic and an “unprecedented volume” of loan and grant applications from the CARES Act and other pandemic-related legislation opened up SBA to new security challenges.
Based on tests of eight of SBA’s information systems, the OIG determined that seven of the information systems – Risk Management, Configuration Management, Identity and Access Management, Data Protection and Privacy, Security Training, Information Security Continuous Monitoring, and Contingency Planning – had ineffective security.
In one other category – Incident Response – SBA’s information systems were found to have effective security.
“In FY 2020, SBA faced significant new security challenges because of the enormous increase in loan transaction volume for pandemic relief programs,” wrote the OIG. “Consequently, SBA needs to update and implement security operating procedures and address newly identified vulnerabilities in its systems. We identified areas that need improvement in controls, including system inventory management, patching, user recertification, and appropriately maintaining Authority to Operate agreements.”
The OIG made 10 recommendations in five of the domains for the agency, all of which SBA agreed to.
Among the recommendations were three made in Risk Management, three in Configuration Management, two for Identity and Access Management, one for Security Training, and one for Information Security Continuous Monitoring. The OIG did not have new findings for the Data Protection and Privacy, Contingency Planning, and Incident Response domains.