Weaknesses Identified During the FY 2017 Federal Information Security Modernization Act Review

The Federal Information Security Modernization Act (FISMA) requires that OIG review SBA’s information security program.  To determine SBA’s compliance with FISMA, OIG contracted with an independent public accountant, KPMG, to perform review procedures relating to FISMA.  OIG monitored KPMG’s work and reported SBA’s compliance with FISMA in the Agency FISMA filings in October 2017.  We also assessed the Agency’s progress in implementing open recommendations and compared our current year assessment with our fiscal year 2016 FISMA evaluation.  In addition to the 17 open FISMA recommendations noted in Appendix II, OIG made 11 new recommendations to address FISMA-related vulnerabilities.  SBA fully agreed with all 11 recommendations.