SBA adapting IT systems providing COVID-19 relief amid program changes

The Biden administration made more changes to the Paycheck Protection Program on Wednesday, necessitating tweaks to E-Tran.
Small Business Administration (SBA)
( / CC BY 2.0 / Flickr)

The Small Business Administration continues to adapt its IT systems processing COVID-19 relief applications to address changing program requirements.

The Biden administration announced a two-week window starting Wednesday where only small businesses with less than 20 employees may apply for Paycheck Protection Program (PPP) forgivable loans to keep their workforces employed during the pandemic.

As new legislation and executive mandates attempt to provide relief where it hasn’t yet been granted, SBA is scrambling to make changes to its E-Tran loan system and program portals.

“We’ve been obviously faced with a tremendous scaling challenge…in terms of the volume of transactions we are processing,” said Sanjay Gupta, chief technology officer at SBA, during an ATARC event Thursday. “But also more importantly the velocity at which we are processing this higher volume.”


Businesses went under because initial PPP loans dragged into the summer as SBA struggled to process requests for $400 billion in relief funds and adjust E-Tran to shifting rules for eligibility, financial institutions, terms and conditions, and transferring loans into grants.

SBA also responds to disasters, and President Biden declared Texas’ snowstorm a major disaster earlier this week. The declaration will mean a workload surge for SBA on top of dealing with PPP and Economic Injury Disaster Loans for the pandemic, Gupta said.

Fortunately, SBA’s cloud migration began in 2017, allowing it to scale with increased employees better than it would otherwise. But in March the agency accelerated implementation of a cloud-based secure connector, in lieu of its traditional virtual private network, to improve security and visibility into traffic and performance.

Conditional access which throttles users’ access if they fail to meet certain conditions related to things like where they’re connecting to the network — has proven helpful during the pandemic. The same is true for geofencing, which took six hours to implement in March and took care of traffic from foreign countries trying to access pandemic loan portals, Gupta said.

SBA is relying on native capabilities more heavily when it comes to cybersecurity tools, anomaly detection and machine learning.


“We are automating these things,” Gupta said. “So a year from now you’ll see a higher resilience posture.”

Uniquely identifying virtual machines on SBA’s network continues to be a challenge however, Gupta said. He led SBA’s 90-day Continuous Diagnostics and Mitigation modernization effort in coordination with the Cybersecurity and Infrastructure Security Agency, and together they developed a model for identification.

Virtual machines are instantiated as needed and may need to be created and destroyed in microseconds. SBA’s model attempts to track and manages those machines in a cloud environment and was published in a report, but the CDM team has yet to release guidance.

“I’m sure it’s in the works,” Gupta said.

Latest Podcasts