Cybersecurity weaknesses
SBA Auditor Reports Information Security Vulnerabilities
The Small Business Administration‘s pandemic relief efforts exposed weaknesses in its cybersecurity posture, according to a report by the agency’s Office of the Inspector General.
OIG said it conducted an audit to determine whether SBA is compliant with the Federal Information Security Management Act and assess the maturity of the agency’s risk management controls.
Congress introduced FISMA to reduce the security risk to federal information and data.
The auditor evaluated SBA’s performance in eight domains: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.
According to the report, SBA’s overall information security program is “not effective” because the agency only scored a “managed and measurable” maturity rating in incident response.
OIG offered 10 recommendations focused on five of the domains. SBA agreed with the auditor’s recommendations and provided written comments that the final report accounted for.
According to inspector general’s office, SBA should design and implement a quality assurance program, enforce its cybersecurity and privacy policy, update its timeline of cybersecurity milestones, update its application change management process, address identified vulnerabilities in systems and track new accounts to ensure they are granted appropriate levels of access, among other measures.
The auditor excluded some findings related to data protection, privacy, contingency planning and incident response that have already been reported on in previous years.
In April 2020, OIG raised concerns regarding SBA’s data security, among other vulnerabilities associated with the increase in remote work, Nextgov reported.
Category: Cybersecurity