Sen. Joni Ernst, R-Iowa, the ranking member of the Small Business and Entrepreneurship Committee, is criticizing the Small Business Administration (SBA) for investing in artificial intelligence while the agency is struggling with basic IT security.
Sen. Ernst made public a May 9 letter on Wednesday that she sent to SBA Administrator Isabella Casillas Guzman demanding answers as to why the agency is “not prioritizing investments in securing their systems but instead are forging ahead with unnecessary projects.”
Specifically, the senator is concerned that the agency is not properly using money collected in its $22 million IT Working Capital Fund (IT WCF).
“It is vital the SBA use its IT WCF for authorized purposes only and make appropriate investments to modernize IT infrastructure throughout the agency,” she wrote. “The SBA has not done so, reportedly spending significant funds on IT projects within some divisions, such as the Office of Capital Access, even as other offices appear to lack the capacity to perform basic IT functions, like importing data from Excel spreadsheets.”
Sen. Ernst pointed to SBA’s declining performance on the FITARA Scorecard – with a citation to MeriTalk’s FITARA Dashboard site – noting that the agency has not scored higher than a “C” rating over the last three years.
Additionally, she noted a recent SBA Office of Inspector General (OIG) report, which found the agency’s overall information security program to be “not effective.”
“Specifically, SBA was cited as having ineffective management when it came to risk, supply chain risk, IT configurations, and identity and access policies. It also had ineffective data protection and privacy, security training for personnel, information security continuous monitoring capabilities, and contingency planning,” Sen. Ernst explained.
She also cited another SBA OIG report that found significant IT investment internal control issues over the last six years that the agency has not taken meaningful action to resolve.
“The SBA needs to do better, especially given the fact that thousands of Social Security Numbers were used to commit fraud and identity theft in the Paycheck Protection Program (PPP) and COVID-19 Economic Injury Disaster Loan (COVID-19 EIDL) programs,” the senator wrote.
Sen. Ernst also said that SBA has not reported its AI use cases – in compliance with President Biden’s AI executive order (EO) – despite having publicly touted AI programs.
“The SBA has touted its ‘artificial intelligence tools for fraud review on all loans in the 7(a) and 504 Loan Programs,’ ‘sophisticated automated reviews,’ ‘advanced data analytics,’ ‘machine learning functionality,’ and ‘artificial intelligence and machine learning solutions.’ The SBA also launched an updated Lender Match tool that verifies borrowers and screens for fraud,” she wrote. “In a recent interview, you stated that the SBA has embraced AI. Despite this, the SBA has not been transparent and reports that it has not used AI.”
Sen. Ernst wants answers to several questions, including why the agency has not complied with the AI EO and how the agency has been using the money in its IT WCF since 2020.
She also wants to know whether the agency’s chief information officer position – which has been vacant since January 2022 – is impacting SBA IT acquisitions.