Weaknesses Identified During the FY 2020 Federal Information Security Modernization Act Review
About this document and download
OIG is required by the Federal Information Security Management Act to assess SBA’s information security program every year. In FY 2020, SBA had an unprecedented volume of loan and grant applications because of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and other related pandemic legislation. As a result, the agency experienced new information security challenges.
We tested a subset of systems in eight areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum.
We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the eight domains.
Based on tests of the eight information systems, we determined the results of each domain as follows:
- Risk Management — Defined
- Configuration Management—Defined
- Identity and Access Management — Consistently Implemented
- Data Protection and Privacy — Consistently Implemented
- Security Training — Defined
- Information Security Continuous Monitoring — Defined
- Incident Response — Managed and Measurable
- Contingency Planning — Consistently Implemented.
We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.