More than 30 recommendations for shoring up SBA’s IT security remain unaddressed.
The chairman of a House committee that oversees the Small Business Administration urged the agency’s head to plug long festering cybersecurity vulnerabilities within six months.
In back-to-back hearings of the House Small Business Committee this week, lawmakers pried into longstanding “mismanagement” at the agency, including a slew of unaddressed recommendations from the agency’s inspector general and the Government Accountability Office.
Among them: more than 30 recommendations for shoring up SBA’s IT security.
"If I were you, I'd start with (fixing) these IT and cybersecurity deficiencies,” Rep. Steve Chabot, R-Ohio, the chairman of the committee told SBA Administrator Maria Contreras-Sweet on Thursday. “That's what worries me the most.”
Chabot cited the long list of hacked federal agencies over the past year: the Office of Personnel Management, the State Department and even the unclassified networks at the White House.
“Small businesses trust the SBA, your agency, with their information -- oftentimes very sensitive information -- that they don't want a rival business or their neighbors or the Chinese government to have access to," Chabot told Contreras-Sweet.
The massive hack of OPM background investigation records is believed to have been an espionage operation carried out by Chinese hackers.
Chabot pressed Contreras-Sweet to fix the security gaps by June 30 and to provide monthly updates to the committee along the way.
Contreras-Sweet responded, “I commit to you to reporting to you on a regular basis and will work with godspeed to make your deadline."
GAO, in a report issued in September, first drew attention to the nearly six dozen open watchdog recommendations. By December, SBA had closed just seven of those recommendations, leaving 62 still unimplemented.
GAO reported agency officials had recently shifted their priorities to improve the agency’s IT management. That included new policies for consolidating data centers and better managing software licenses. However, the agency -- violating mandates from the Office of Management and Budget -- had not conducted regular reviews of its IT investments.
“It's important to know, especially when you have systems that have been in place for a long time, whether they still are effectively meeting the needs of the agency and delivering its programs,” testified William Shear, director of financial markets and community investment at GAO. “So, you're running a little bit blind if you don't go through these steps."
In her prepared testimony, Contreras-Sweet, who’s led the agency since April 2014, said officials finally completed those reviews by the end of fiscal 2015 and are undertaking a “major upgrade” of the agency’s IT systems.
“It starts with a comprehensive network infrastructure modernization to give our systems greater capacity and reliability,” she testified. “We are in the final stages of moving our entire email system into the cloud. Additionally, we’re investing in mobile technology because we recognize that our SBA team members in the field need to get out beyond the walls of federal offices and meet entrepreneurs where they are.”
However, adding another wrinkle to SBA’s IT management plans is the lack of a permanent chief information officer. Former CIO Renee Macklin left the agency last May for a position at the Commerce Department.
Contreras-Sweet said she’s leading the search for a replacement.
"I went to Silicon Valley . . . to try to find a really thoughtful, successful person who knows how to procure and to execute,” she said.
“We're getting candidates,” she said of the CIO search. “We're going to the right places to find the right people. But it's tough governmentwide to attract top technology talent, because of the salary structure and compensation in government compared to the private sector."
In the meantime, Contreras-Sweet told lawmakers she’s hired a chief digital officer to work alongside the acting CIO.