SBA pushes back timeline to implement GAO privacy recommendation

Sen. Ernst, ranking member of the chamber’s Small Business Committee, has been critical of the agency’s privacy standards around personally identifiable information.
Isabel Guzman delivers remarks after President-elect Joe Biden announced her as his nominee for head of the Small Business Administration at The Queen theater on Jan. 8, 2021 in Wilmington, Del. (Photo by Chip Somodevilla/Getty Images)

The Small Business Administration has extended its timeline to fully implement a critical cybersecurity recommendation, delaying what a congressional watchdog called “key practices” to protect personally identifiable information.

The Government Accountability Office in September 2022 tasked the SBA with fully defining and documenting a process to ensure that the agency’s top privacy official is “involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy.” 

SBA officials agreed with that recommendation and told the GAO in March 2023 that the agency would update its Privacy Program Plan to “delineate hiring, training, and professional development needs of the agency in relation to privacy.”

However, in priority open recommendations released this month, SBA officials told the GAO that changes in staffing and budget allocations would force the agency to push back its implementation timeline from the second quarter of 2024 to the end of the fiscal year.


“To fully implement the recommendation, SBA needs to ensure that its updated Privacy Program Plan defines how the senior agency official for privacy, or other designated privacy officials, are involved in addressing related agency workforce needs,” the GAO wrote. “Fully implementing the recommendation would help the agency more consistently and effectively identify staffing needs and ensure a well-qualified privacy workforce.”

In response to questions from FedScoop about the delay and what other actions the agency told the watchdog it has taken to “bolster its privacy workforce,” the SBA said that it is reviewing the GAO’s report and had no further comment. 

Sen. Joni Ernst, ranking member of the Senate Small Business and Entrepreneurship Committee, “has long been concerned with SBA’s privacy and IT standards especially with the amount of personally identifiable information they have on small business owners,” a spokesperson for the Iowa Republican said in an email to FedScoop. 

The spokesperson added that a letter the senator sent last month to the SBA seeking a full accounting of how the agency is making IT investments through its IT working capital fund “has gone unanswered.” Ernst said in a press release that the SBA has mostly used the $22 million fund on “pet projects” around policy changes and artificial intelligence while “the agency as a whole continues to fail federal IT standards and has significant security risks in its systems.”

The press office of Sen. Jeanne Shaheen, D-N.H., who chairs the Senate Small Business and Entrepreneurship Committee, did not respond to a request for comment by the time of publication.


The SBA has plenty of company among federal agencies in completing privacy work. According to the GAO, NASA, the Office of Personnel Management, the Social Security Administration, and the departments of Commerce, Defense, Education, Energy, Health and Human Services, Housing and Urban Development, Justice, Labor, State, Transportation and Treasury all have open priority recommendations on privacy dating back to the watchdog’s 2022 report.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at

Latest Podcasts