SBA Has “Significant Vulnerabilities” In Its Cyber Posture

The Small Business Administration (SBA) is facing some tough challenges. According to a Report on the Most Serious Management and Performance Challenges Facing the SBA in FY 2018, the agency’s risk management and cyber posture is in need of “significant improvement”.

A key area is rolling out key components of FITARA. Although the agency has incorporated many FITARA requirements, the implementation of baseline criteria, such as HR planning, investment oversight, and enterprise architecture, are lacking.

In addition, “significant vulnerabilities” exist in its information security practices. 23 open recommendations from the SBA’s Office of Inspector General (IG) remain open, some dating as far back as 2011.

This is worrying news for an agency that handles sensitive citizen data related to small business loan applications. This isn’t the first time the SBA’s security controls have come under the spotlight. Alarm bells were set off on Capitol Hill in 2016 when the House Small Business Committee chided SBA for deficiencies in IT security:

"It doesn't feel like there's any urgency of this, and yet we know that 2 to 3 percent of business loans in this country flows through them, and that number is growing," said Rep. Richard Hanna (R-NY). "What do we do about this? It sounds like we're going to have the same meeting next year."

That was last year, and to be fair, the IG’s report finds that there has been improvement in information security and continuous monitoring practices (in the cloud), contractor systems, configuration management, and identity and access management. During this fiscal year, the SBA closed six percent of its outstanding IT recommendations. Yet, vulnerabilities remain and investments in infrastructure and “more effective monitoring of contractor hosted systems” is recommended. Three areas for attention, as noted by the IG, include continuous monitoring of systems for threats, risk management, and PII data loss prevention.

Combating Agency Vulnerabilities and Threats

DLT’s cybersecurity partnerships, expertise and solutions can help your agency understand the solutions available and which ones will work best for your agency.