SBA certification project has risks that need addressing, GAO says
A Small Business Administration project aimed at easing the process of applying for and maintaining contracting certifications could face elevated risks of vulnerabilities due to the agency not fully implementing various security protocols, according to a new watchdog report.
The Government Accountability Office said the SBA doesn’t have a cybersecurity risk management plan for its Unified Certification Platform (UCP) project, which was launched earlier this year to allow small businesses to more efficiently interact with the agency’s contracting assistance programs.
The certification platform also “didn’t trace design elements of the new system to related cybersecurity requirements,” the GAO reported, adding that those “gaps increase the risk of security vulnerabilities.”
The SBA began its online certification portal project in 2023 with an eye on a September 2024 launch. Despite protests from a pair of Republican lawmakers — and reservations from the GAO — the agency announced a pause on accepting new applications for certification, effective Aug. 1, until the new system was ready for deployment.
That day arrived Oct. 18, but according to the GAO, the SBA still has work to do “to develop additional, more complex functionality, secure the system, and migrate data.”
“GAO’s analyses of SBA’s efforts show that leading practices for risk management, cybersecurity, and schedule and cost estimation have not been fully implemented,” the report states. “Accordingly, SBA faces an increased risk of additional delays as it completes remaining work and may face challenges with addressing system issues that arise.”
New Hampshire Democrat Jeanne Shaheen, who chairs the Senate Small Business Committee, said in a statement to FedScoop that she is “closely monitoring SBA’s United Certification Platform project, including IT management gaps highlighted in GAO’s report. It is essential to address risks while working to provide small businesses a long-awaited, efficient way of bidding on federal contracts.”
Sen. Joni Ernst, R-Iowa, ranking member of the Small Business Committee and a semi-frequent critic of SBA over tech matters, said in an email to FedScoop that “small businesses should not be forced to suffer because of bureaucratic incompetence.”
“Not only did SBA fail to meet its own self-imposed deadline and blow through an already bloated budget, but the agency failed to create a portal that works,” Ernst continued. “SBA needs to take responsibility for its irresponsible decision to upgrade the portal during the busiest month for small businesses, that I warned about, and take immediate steps to resolve GAO’s recommendations.”
The SBA, meanwhile, said the project was necessary to bolster an IT system responsible for administering many of its most important programs, including 8(a) business development, HUBZone, VetCert and the Women-Owned Small Business Federal Contract. As of last month, some of the data migration work as part of the UCP system was ongoing, the SBA told the GAO, as well as work to implement security controls and the development of more functionality to allow small businesses to better manage existing certifications in the new system.
In response to a FedScoop request for comment on the GAO’s findings, the SBA pointed to a letter in the report from Larry Stubblefield, deputy associate administrator of the agency’s Office of Government Contracting and Business Development, and Steve Kucharski, SBA’s chief information officer.
The letter pushed back on the cybersecurity and risk management sections of the GAO report, saying the findings mischaracterized the security and risk practices undertaken by the SBA throughout the UCP project.
“Furthermore, SBA’s FOLIO system was used to capture risks identified in a risk assessment, which was established and sustained for the project, and those identified risks were addressed with the appropriate risk response,” the letter states. “The SBA ensured that the contractor followed the requirements for cybersecurity as outlined in the contract.”
The GAO delivered 14 recommendations to the agency, covering various risk management and cybersecurity issues. The SBA agreed with three, partially concurred with three others and disputed the remaining eight.
This story was updated Nov. 14, 2024, with comments from Sen. Ernst.