Fiscal Year 2021 Federal Information Security Modernization Act Review

The Federal Information Security Management Act requires the information security program of every agency to be evaluated each year. In FY 2021, SBA faced new information security challenges under the weight of lending huge amounts during the pandemic. 

In 2021, the agency had to deal with months of continued issues caused by the unprecedented volume of loan and grant applications spurred by the Coronavirus Aid, Relief, and Economic Security  Act and other pandemic relief laws. 

We tested a subset of systems in nine areas, called “domains,” and evaluated them using guidance for FISMA metrics. Inspectors General are required to assess the effectiveness of information security programs on a maturity model spectrum.

We rated SBA’s overall program of information security as ”not effective” because SBA only achieved a maturity level rating of “managed and measurable” in one of the nine domains.

Based on tests of the eight information systems, we determined the results of each domain as follows:

1.    Risk Management — Defined

2.    Supply Chain Risk Management  — Ad Hoc

3.    Configuration Management—Defined

4.    Identity and Access Management — Consistently Implemented

5.    Data Protection and Privacy — Consistently Implemented

6.    Security Training — Defined

7.    Information Security Continuous Monitoring — Defined

8.    Incident Response — Managed and Measurable

9.    Contingency Planning — Consistently Implemented

We made 10 recommendations in five of the domains: three recommendations in risk management, three recommendations for configuration management, two for identity and access management, one recommendation for security training, and one for information security continuous monitoring. SBA management agreed with the recommendations in this report.