An audit of the Small Business Administration’s Federal Information Security Modernization Act compliance concluded the agency is falling short with safeguarding its IT systems.
In assessing the agency’s information security program and progress in CyberScope areas, the inspector general found SBA was at the “consistently implemented” level for data protection and privacy, at a “defined” level for six other domains and at the “ad hoc” level for contingency planning. SBA has also not completed contingency plans for two major systems. These deficiencies made the overall program ineffective, the IG said.
CyberScope is the automated FISMA reporting tool that addresses risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response and contingency planning.
To strengthen its information security posture and fully adhere with FISMA, SBA needs to update and adopt security operating procedures, implement previous IG recommendations and address the new vulnerabilities, the IG said.