11-06 - Weaknesses Identified During the FY 2010 Federal Information Security Management Act Review

The Federal Information Security Management Act (FISMA) of 2002 provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets. The Act requires (1) agencies to implement a set of minimum controls to protect Federal information and information systems; and (2) the agencies' Office of Inspector General (OIG) annually perform independent evaluations of the information security program and practices of that agency to determine its effectiveness. Finally, the Act directs the National Institute of Standards and Technology (NIST) to develop standards and guidelines for implementing its requirements in coordination with the Office of Management and Budget (OMB).On April 21, 2010 OMB issued Memorandum 10-15, FY 2010 Reporting Instructions for the Federal Information System Management Act andAgency Privacy Management; providing instructions for agency's to meet their FY 2010 reporting requirements under FISMA. This memorandum requires IGs to evaluate agency compliance in ten information security program areas: (1) Certification and Accreditation (C&A); (2) Configuration Management; (3) Security Incident Management; (4) Security Training; (5) Remediation/Plan of Actions and Milestones (POA&M); (6) Remote Access; (7) Identity Management; (8) Continuous Monitoring; (9) Contractor Oversight; and (10) Contingency Plans. The objective of our FY 2010 review was to evaluate the effectiveness of SBA's computer security program and practices in these areas in accordance with applicable Federal requirements(1).

To assess SBA's compliance in the OMB information security program areas, we reviewed agency documentation, interviewed program management officials, and performed reliability tests on agency-provided reports. Additionally, we selected judgmental samples of agency systems to conduct detailed analysis of their compliance with C&A, POA&M, and contingency planning requirements.

During the course of our FISMA review, we received an anonymous complaint alleging that contractors located in the IT security division were performing work on behalf of the agency without having obtained the necessary security clearances. The complaint also stated that these contractors had access to sensitive SBA information. In response to this allegation, we requested and reviewed SBA security clearance documentation for IT security contractors and interviewed Agency officials responsible for clearing contractors and granting network access.

We performed the audit work between August 20 10 and November 20 lOin accordance with Government Auditing Standards prescribed by the Comptroller General of the United States.