Audit finds SBA’s information security program ‘not effective’ despite cyber improvements

The Small Business Administration’s information security program remains “not effective,” despite improvement in cybersecurity oversight of incident response, risk management and contingency planning.

An SBA Office of Inspector General audit found persistent weaknesses when independent accounting firm KPMG tested 10 of the agency’s systems against Federal Information Security Modernization Act requirements.

Of the eight areas evaluated, SBA only achieved a “managed and measurable” level — denoting effective security — in incident response. The agency reached a “consistently implemented” level in three other areas: risk management, data protection and privacy, and contingency planning.

Configuration management, identity and access management, security training, and information security continuous monitoring were found at a “defined” level.

“To continue to improve its FISMA effectiveness, SBA needs to proactively update and implement security operating procedures and address the new vulnerabilities identified in this report,” reads the OIG audit released Monday.

SBA agreed to meet 11 OIG recommendations across three areas.

Risk management:

• Document and maintain hardware inventory and system ownership of systems.
• Update the plan of action and milestones.

Configuration management:

• Establish an audit trail for tracking change management.
• Identify system vulnerabilities, and patch them in a timely manner.
• Ensure scans accurately identify production and non-production environments.
• Require system owners to perform administrative-level authenticated scans.
• Create a process for justifications and approvals of deviations from baseline configurations.

Identity and access management:

• Develop an identity, credential and access management strategy for access control.
• Readily retrieve access authorizations for users.
• Strengthen the approval process for personal identity verification removal on workstations.
• Align lockout settings with SBA policy.

“We are encouraged that the inspector general ‘observed improvement in cybersecurity oversight’ in our continued delivery of resilient and cost-effective enterprise security services throughout the organization,” wrote Maria Roat, chief information officer of SBA, in a March 12 response to the OIG’s recommendations. “The Office of the Chief Information Officer will diligently pursue robust and adaptive cybersecurity visibility, defense, detection, and response capabilities across the enterprise.”