Jump to Main Content
USA flagAn Official Website of the United States Government

Audit Report 14-12: Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review

Date Issued: 
Wednesday, April 30, 2014
Report Number: 
14-12

On April 30, 2014, the OIG issued Audit Report 14-12, Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review (FISMA). Under FISMA, agencies must report their compliance with information security requirements. The OIG reports on the effectiveness of the agency’s information security program in accordance with OMB criteria. For Fiscal Year (FY) 2013, the OIG was required to report on the agency’s compliance the following 11 areas:

  1. configuration management
  2. identity and access management
  3. risk management
  4. continuous monitoring controls
  5. plan of actions and milestones
  6. remote access management
  7. security training
  8. computer security incidents
  9. contingency planning
  10. contractor systems
  11. security capital planning

In FY 2013, the OIG found that the SBA continued to show limited progress in meeting FISMA requirements. In the annual FISMA report, the OIG found the SBA needs to further establish its configuration management, identity and access management, risk management, and continuous monitoring controls. In addition to weaknesses identified in FY 2013, the SBA needs to continue to remediate outstanding and overdue recommendations specifically relating to FISMA compliance. The OIG made seven new recommendations relating to FISMA compliance.