SBA Auditor Reports Information Security Vulnerabilities
The Small Business Administration‘s pandemic relief efforts exposed weaknesses in its cybersecurity posture, according to a report by the agency’s Office of the Inspector General.
Congress introduced FISMA to reduce the security risk to federal information and data.
The auditor evaluated SBA’s performance in eight domains: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning.
According to the report, SBA’s overall information security program is “not effective” because the agency only scored a “managed and measurable” maturity rating in incident response.
OIG offered 10 recommendations focused on five of the domains. SBA agreed with the auditor’s recommendations and provided written comments that the final report accounted for.
The auditor excluded some findings related to data protection, privacy, contingency planning and incident response that have already been reported on in previous years.
In April 2020, OIG raised concerns regarding SBA’s data security, among other vulnerabilities associated with the increase in remote work, Nextgov reported.
Tags: cybersecurity Federal Information Security Management Act FISMA information security Nextgov Office of the Inspector General OIG risk management SBA Small Business Administration