SBA improving its IT risk, but challenges remain, IG says

A new report outlining SBA's performance and management challenges found that the agency has made strides in its technology oversight, but issues remain.
Maria Roat
Maria Roat speaks at the 2017 Public Sector Innovation Summit presented by VMware and produced by FedScoop and StateScoop. (Scoop News Group)

A new inspector general’s report outlining the performance and management challenges at the Small Business Administration found that while the agency has made strides in its technology oversight, issues remain.

The report, which profiles the agencywide challenges for fiscal 2018, credited the SBA for moves it’s made to strengthen its CIO’s role and efforts to improve Federal Information Technology Acquisition Reform Act compliance.

The IG determined that SBA has made substantial progress in its five recommendations centered establishing more CIO oversight of IT projects, management and continuous monitoring implementation, but it has made limited headway in its risk management and incident response vulnerabilities.

The watchdog found that CIO Maria Roat made a number of moves in fiscal 2017 to reshape SBA’s organization structure to align with FITARA, including restarting investment and architecture review boards and crafting agency standard operating procedures on the CIO’s role in IT acquisition.


But it also noted that the agency still needed to implement baselines spelled out in FITARA centering on human resource planning, investment oversight and enterprise architecture, and post consistent and transparent project updates to capitalize on cost savings and optimized operations.

Another issue the agency continues to navigate is its cybersecurity posture. The IG noted that SBA has made “significant improvement” in its information security, continuous monitoring and management of its agency and contractor systems, but 23 recommendations addressing system vulnerabilities or infrastructure improvements remain open.

Among those are practices recommended for monitoring SBA contractor systems, including:

  • Information security and continuous monitoring that require validation of compliance with security requirements through auditing, periodic reviews and implementing continuous monitoring strategies.
  • Risk management, contingency planning and incident response that monitors the selection, implementation and assessment of security controls, and authorization to operate both internal and hosted systems.
  • Configuration management and identity and access management controls that document and manage baselines establish a comprehensive personally identifiable information data.

“OCIO has made significant progress by initiating continuous diagnostic and mitigation capabilities in the cloud and will complete Phase 1 deployment in FY 2017,” the report said.


“However, to show significant improvement in these areas, OCIO should resolve existing vulnerabilities and continue to implement risk management and system improvement initiatives such as continuous diagnostic and mitigation deployment, the Advanced Threat Protection pilot, data loss prevention for email traffic, data rights management for email and attachments, and its cloud migration strategy.”

Roat, who became SBA CIO in October 2016, said last month that the agency was progressing on several IT modernization efforts, including data center consolidation and moving its CDM to the cloud, but would continue to experiment to find ways to capitalize on new technologies.

“SBA is not that big, and I think that is helping us drive and move very fast,” she said. “Whether it’s on the desktop moving to Windows 10 and Office 2016, turning things on and trying them out. By virtue of being small, it has its challenges and it has its benefits, as long as you kick the tires on a lot of things.”

Latest Podcasts