Cyber

Auditors find problems with SBA’s information security program

The agency has fallen short on nine of 10 security controls under OMB guidance, according to a new OIG report on FISMA compliance.

By Matt Bracken

May 20, 2026

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Small Business Administration headquarters. (Tajha Chappellet-Lanier)

The Small Business Administration’s information security program is largely ineffective after falling below the federal baseline for controls in nine of 10 domains, according to a new watchdog report.

Under Office of Management and Budget guidance on ratings for security effective controls, the SBA “has defined policies but it has not consistently implemented them,” the agency’s Office of Inspector General wrote, relaying findings from an independent auditor’s review of SBA’s fiscal 2025 performance under the Federal Information Security Modernization Act.

The SBA surpassed OMB’s baseline for incident response, earning an “optimized” rating under federal FISMA guidelines. But the OIG said that six domains — cybersecurity supply chain risk management, risk and asset management, configuration management, identity and access management, contingency planning, and information security continuous monitoring — were considered “defined” (a rating of 2 on the 5-level maturity model scale).

Another three domains — cybersecurity governance, data protection and privacy, and security training — were slightly better, per the watchdog, with ratings of “consistently implemented” (3 out of 5).

Some of SBA’s IT shortcomings appear to be due to poor planning. The OIG noted that the agency couldn’t consistently follow some cybersecurity procedures because its governance, risk, and compliance system was canceled by program officials without a replacement.

Other issues festered due to lack of communication. On cybersecurity supply chain risk management, for example, internal procedures “did not explicitly state what evidence should be provided or how the review should be documented,” leading to incomplete reviews of third-party systems, according to the report.

There were also instances of inconsistently defined policies and processes, the OIG said, pointing specifically to how the SBA approached its inventory of hardware and software assets, including licenses. Those inventories were not always kept up to date, which SBA officials said was due to the agency’s ongoing transition to a new management system.

Other IT problems raised by auditors included inconsistent enforcement of multi-factor authentication for non-privileged and privileged users, a lack of annual user access reviews, and incomplete or nonexistent contingency plans.

The report credited the SBA with making progress on the implementation of 13 open recommendations from previous evaluations, but it delivered 17 new recommendations aimed at improving the agency’s IT security program. The agency agreed with all 17 recommendations.