IG: SBA’s Cybersecurity ‘Not Effective,’ In Part Due to COVID

The weight of administering a multibillion-dollar emergency aid program and other pandemic-related stressors in 2020 weakened the cybersecurity posture of the Small Business Administration, according to the agency inspector general.

“We rated SBA’s overall program of information security as ‘not effective’ because SBA only achieved a maturity level rating of ‘managed and measurable’ in one of the eight domains,” according to the annual Federal Information Security Management Act, or FISMA, report released Tuesday.

The IG notes 2020 was a busy year for SBA, which “had an unprecedented volume of loan and grant applications because of the CARES Act and other pandemic-related legislation” that put the agency in charge of dispersing billions of dollars in funding. This added workload created new security challenges, the audit states.

“Consequently, SBA needs to update and implement security operating procedures and address newly identified vulnerabilities in its systems,” the report states. “We identified areas that need improvement in controls, including system inventory management, patching, user recertification, and appropriately maintaining authority to operate agreements.”

For instance, IT employees did not update the inventory of systems and data running in cloud environments during the pandemic.

“SBA did not consistently update and monitor its cloud system inventory,” which officials blamed on “competing priorities during the Coronavirus disease pandemic.” Without a full inventory of systems and data using cloud infrastructure, “the agency does not know how much data is stored in and subject to the inherent risks of cloud systems,” the report states.

Similarly, the agency did not have a full and proper inventory of user accounts, including which should have privileged access to sensitive data and systems.

“We identified 11 of 13 new users of two systems for whom SBA could not provide evidence that access had been properly authorized,” the report states. “We also found that during the COVID-19 pandemic, new and existing user accounts were not always authorized due to competing priorities and lack of management oversight.”

The report also found SBA did not properly “reinforce its patch management and configuration policies,” including ensuring patches are tested and approved before being pushed out.

The audit looked at eight areas that contribute to overall security: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning. Those domains were measured on a five-point scale: ad hoc, defined, consistently implemented, managed and measurable, and optimized.

Four of the security domains were rated “defined,” three rated “consistently implemented,” and one—incident response—reached the level of “managed and measurable.”

Anything below the “managed and measurable” level “represents ineffective security,” the report states.

The IG offered 10 recommendations focused on five of the eight security domains. SBA officials agreed with all of the recommendations and provided plans to resolve each.

Auditors found additional security concerns, however, the IG declined to include those that had been discovered and reported on in previous years. As such, this year’s report does not include findings on data protection and privacy, contingency planning or incident response.

For the remaining five areas, the IG included results and recommendations for vulnerabilities discovered during or created by the pandemic.