SBA slow to improve IT security, watchdog says
Lawmakers are seeking an overhaul of IT security management at the Small Business Administration, in the wake of a critical Government Accountability Office report.
The Small Business Administration needs to clean up its act, according to a leading House lawmaker. At a Jan. 6 hearing, Rep. Steve Chabot (R-Ohio), chairman of the House Small Business Committee, said the agency needs a "complete overhaul of its operations." He added that "the problems that have festered far too long must end."
The problems Chabot referred to are cataloged in an extensive and highly critical Government Accountability Office report from September 2015 that cites leadership, management and IT security as areas requiring improvement at SBA.
Bill Shear, director of financial markets and community investment at GAO, testified that SBA had implemented only seven of GAO's 69 recommendations as of Dec. 15, 2015. Those recommendations include 30 related to IT security.
"IT security has been identified for well over a decade as a long-standing management challenge," Shear said. "It's disturbing to us that these challenges still remain, and they go down to some very basic functions."
According to the GAO report, SBA has ramped up efforts to secure its networks with the use of dual-factor authentication and personal identity verification cards, as part of the governmentwide push to improve security. Additionally, SBA spends about $100 million on technology per year but has lagged in reviewing IT investments.
"Until SBA fully implements all of the required IT management initiatives, the agency cannot provide reasonable assurance that its IT investments are cost-effective, meet agency goals or are effectively managed," GAO's report states.
The agency's IT problems are a big concern for Chabot as well. "The one that worries me the most is in the area of IT security," he said. "The information that they keep on individuals and on small businesses can be pretty sensitive information."
Shear said that for GAO, documentation was essential. "There might be good things going on in the agency in terms of oversight of its IT, but we don't see documented evidence that meets [the Office of Management and Budget's] very specific requirements," Shear said.
The hearing is the first in a planned series of oversight events designed to draw attention to the independent agency. SBA Administrator Maria Contreras-Sweet is scheduled to testify before the panel on Jan. 7.