The Small Business Administration continues to face significant challenges in IT investment, system development and security controls entering fiscal 2022, according to its Office of Inspector General.
In a new report published Friday, the watchdog warned these challenges could continue as it prosecutes and returns money from fraud against the Economic Injury Disaster Loan (EIDL) and Paycheck Protection Program (PPP).
Earlier this year in March, the Office of Inspector (OIG) at the Small Business Administration (SBA) found that the department issued $692 million in duplicate pandemic relief loans, due, in part to vulnerabilities within the E-Tran application system.
The agency has struggled with big-money IT projects over the last decade, but the pandemic exacerbated the problem by forcing the quick establishment of relief loan portals and diverting resources away from daily security compliance.
“The dramatic chain of events caused by the COVID-19 relief funding the agency received last year highlighted the significant need for the agency to invest in IT upgrades to improve the portal interfaces for small businesses,” reads the report from SBA OIG.
The report highlighted significant progress in improving IT investment controls including increased oversight of the Certify.sba.gov platform. Despite a push to improve access for small business, the platform was plagued by issues.
The OIG found SBA’s system development policy hasn’t been updated since 2009, meaning risk management and security controls do not currently reflect the changing IT application landscape.
While SBA has improved security controls, more work is needed, according to the report. The agency only achieved a Federal Information Security Management Act maturity model Level 4, which means the area is managed and measurable, in incident response.
The effectiveness of SBA’s information security in seven other areas was either a Level 3, meaning consistently implemented, or Level 2, defined. That means overall SBA’s information security was found not effective.
Despite progress in automated security control testing and protecting personally identifiable information, SBA still struggles with user access, configuration management and security training. Risk and configuration management controls need more work, and SBA needs to update authorizations to operate for systems, according to the report.
SBA OIS also suggested the agency track action plans and update software and hardware inventories.
Another challenge area for SBA is inaccurate procurement data and eligibility concerns in small business contracting programs that undermine the reliability of the agency’s contracting achievements.
Contracting officers have a history of improperly awarding women-owned small business contracts without the proper documentation. SBA has made substantial progress curbing abuse in the Women-Owned Small Business Federal Certification Program with the launch of beta.Certify.sba.gov, intended to replace Certify.sba.gov.
The SBA Office of the Chief Information Officer wants a viable IT solution for all certification programs.
“The agency intends for the new beta.Certify.sba.gov certification management portal to modernize a process that has been difficult for decades,” reads the report. “However, the system has been plagued by technical challenges which could result in failing to reach program objectives.”
Since being launched in 2020, beta.Certify.sba.gov has made “slow progress” issuing prompt certifications, according to the report.
A third SBA challenge tied to IT is management and monitoring of the 8(a) Business Development Program. No IT system has been fully established for regular performance monitoring and reporting to ensure participants are following their business plans, SBA OIG found.
The last of SBA’s IT-related challenges is robust grants management oversight due to inaccurate grant date for financial and performance reporting.
Originally the Procurement Request Information System Management (PRISM) used to report on technical assistance programs, but it required manual data entry, which led to input errors.
SBA has since made significant progress modernizing its grants management system thanks to a 2019 interagency agreement with the Department of Health and Human Services for transition analysis, infrastructure setup and training to launch GrantSolutions.gov. The agency will spend $2.5 million over five years on the system, but hurdles remain.
“Until the agency integrates the financial interface, program offices are still required to use the PRISM system, which is not completely integrated with SBA’s financial system and requires manual entry to obligate funds and authorize payments to grant recipients,” reads the report. “Without an effective grants management system, the agency must continue manual and burdensome processes to manage compliance requirements, which may continue to hinder its ability to effectively oversee and manage SBA grant programs.”