SBA Fell Short in Most Major Cybersecurity Areas, Inspector General Says

The Small Business Administration‘s posture in most major cybersecurity domains was below what is required to be deemed effective, the agency’s auditor said in a new report.

SBA’s Office of Inspector General looked at the agency’s performance in nine categories: risk management, supply chain risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response and contingency planning.

A domain needs to have a rating of “managed and measurable” for the agency’s performance to be considered effective at protecting against cyber threats. SBA only achieved the rating for the incident response category, OIG said.

SBA attained a rating of “defined,” “ad hoc,” or “consistently implemented” in the remaining eight domains, the auditor said in its fiscal year 2021 Federal Information Security Modernization Act review.

OIG said that during the fiscal year, SBA faced an unprecedented volume of new data and documents related to federal coronavirus relief programs, exposing the agency to new vulnerabilities.

The auditor concluded that SBA’s overall information security program was “not effective,” recommending that the agency improve controls for system software inventory management, patching user recertification and the deployment of supply chain risk management policies.

OIG also offered specific recommendations in three domains, all of which SBA agreed to in a written response.

Federal agencies are required to maintain an information security program in accordance with FISMA. OIGs annually review their cybersecurity based on metrics provided by the Department of Homeland Security and the Office of Management and Budget.