Report 16-17: Fiscal Year 2016 Report of the U.S. Small Business Administration (SBA) Pursuant to The Cybersecurity Act of 2015, Section 406, Federal Computer Security

On August 11, 2016, the Office of Inspector General issued KPMG’s report, Fiscal Year 2016 Report of the U.S. Small Business Administration (SBA) Pursuant to The Cybersecurity Act of 2015, Section 406, Federal Computer Security. OIG contracted with the independent certified public accounting firm KPMG to evaluate whether SBA designed and implemented its internal controls over cybersecurity logical access and information security management in accordance with Section 406 of the Cybersecurity Information Sharing Act of 2015 (the Cybersecurity Act).  We selected a subset of personally-identifiable information development and production systems for KPMG’s review and evaluation. The attached independent auditor’s report found that the Agency did not meet Federal standards relating to Section 406 of the Cybersecurity Act.  The Office of the Chief Information officer agreed with evaluation findings and conclusions.  Related recommendations will be issued in conjunction with our annual Federal Information Security Management Act (FISMA) assessment.