A Small Business Administration (SBA) Office of Inspector General (OIG) report summarizing the results of its fiscal year (FY) 2021 Federal Information Security Modernization Act (FISMA) evaluation rates SBA’s overall program of information security as “not effective.”
According to the OIG report, SBA only achieved a maturity level rating of “managed and measurable” in one of the nine domains examined. A managed and measurable rating has to be earned in a majority of the domains for the information security program to be rated effective, the OIG explained.
“In FY 2021, SBA continued to have an unprecedented volume of loan and grant applications because of the Coronavirus Aid, Relief, and Economic Security Act and other pandemic-related legislation,” said the OIG. “As a result, the agency continued to experience security challenges.”
In the report, the OIG made 10 recommendations for improvements in five of the nine domains: risk management, configuration management, identity and access management, and contingency planning. It made three recommendations in risk management, configuration management, and identity and access management to address issues identified last year.
SBA agreed with all recommendations in the report.
“We did not have new findings for the data protection and privacy, information system continuous monitoring, security response, and incident response domains and did not report on those areas,” the OIG wrote.
Among the recommendations made by the OIG:
- Design and implement a quality assurance program to ensure system software inventory and contract-managed systems are maintained;
- Ensure continuity of operations plan is tested annually;
- Implement an agency-wide policy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services;
- Ensure timelines are incorporated into policies requiring baseline scan vulnerabilities be remediated in a timely fashion;
- Ensure systems under control undergo vulnerability scans and address identified vulnerabilities for a patch management process;
- Communicate and reinforce required system owner responsibilities to approve, establish, activate, modify, review, disable, and remove accounts;
- Require audit logging of administrator activity for an independent reviewer to monitor and mitigate risks;
- Establish warning banners for systems lacking them to communicate user responsibilities and prevent unauthorized disclosure;
- Perform reviews of users with administrator privileges periodically to ensure risk designation of their position aligns with duties; and