SBA addressing information security issues amid coronavirus response efforts

The agency's security operations team has taken down eight fake websites and two fake Twitter accounts in recent weeks with the help of the Department of Homeland Security.
Maria Roat, Small Business Administration
Maria Roat speaks March 28, 2019, at the IT Modernization Summit presented by FedScoop. (FedScoop)

The Small Business Administration is working to improve its information security program, even as it launches telework and loan capabilities to aid small businesses during the coronavirus crisis.

An SBA Office of Inspector General report released last month found persistent weaknesses in the agency’s risk, configuration and identity and access management.

Now the agency is working to address such issues while supporting a portal for the new Paycheck Protection Program (PPP) and scaling the Economic Injury Disaster Loan (EIDL) program — both of which received a large amount of COVID-19 stimulus funding.

The agency’s security operations team is conducting penetration testing and applying SBA Connect authentication for new capabilities, CIO Maria Roat said during an AFFIRM webinar Thursday.


But there are external threats as well.

“My security team, they live for this stuff because — when you look at small businesses, security, what’s going on in the entire financial space — we’ve taken down, working with [the Department of Homeland Security], eight fraudulent websites and two Twitter accounts that were imitating our administrator,” Roat said.

The eight websites were taken down in the last few weeks and the Twitter accounts a week and a half ago, amid the coronavirus pandemic.

CIO’s office supports SBA pandemic response

SBA had to build things “very quickly” to accommodate disbursing funding for small businesses in the Coronavirus Aid, Relief, and Economic Security (CARES) Act and subsequent stimulus packages, Roat said. While it’s been 50 days since the agency stood up its COVID-19 task force, it had to wait for the legislation particulars to put PPP and EIDL business rules in place.


The PPP offers loans to help businesses keep their workforces employed during the pandemic, while EIDL issues an up-to-$10,000 advance for businesses experiencing temporary difficulties.

SBA stood up a lender gateway for the Paycheck Protection portal in eight days for small lenders and community and midsize banks the agency hasn’t worked with before. The portal itself is for about 18,000 lenders SBA works with regularly.

Meanwhile, SBA launched a software-as-a-service platform for EIDL applicants in a week.

Both loan portals were geofenced to the U.S. and its territories for added cybersecurity, Roat said.

The projects haven’t gone without issue. An agency spokesperson revealed earlier this month that personally identifiable information from a “limited” number of EIDL applicants was “potentially” exposed to others in the portal.


SBA disabled the portion of the website at issue and relaunched the portal. But the cause of the problem, data exposed and length of time it was available were unclear.

In addition to tripling staff, SBA needed to automate the process of assigning about 10,000 daily incoming emails from small business owners to call workers — now in its fourth iteration.

About 93,000 people visited when President Trump recently tweeted about it, and the site scaled 825% immediately, Roat said.

With every new capability SBA releases, Roat’s team issues references where employees can find training, as well as shortcuts and tips for telework tools like Skype or Microsoft Teams.

For the last three years, SBA has been implementing collaboration tools and digital signatures — though the agency still has “a lot” of paper — meaning the shift to telework was only a matter of scaling, Roat said.


The agency only approved four printer requests, due to the cyber risks associated, and has seen a “huge uptick” in the use of collaboration tools, she said.

“We flipped over seamlessly to telework,” Roat said.

Latest Podcasts