The Small Business Administration’s information security program is “not effective” according to its inspector general.
In a security audit this week, auditors concluded that almost every major domain of the agency’s cybersecurity operations could be considered below the necessary standards to effectively protect data and defend against malicious hacking threats. The report looked at nine such aspects of the agency’s cybersecurity operations: risk management, supply chain risk management, configuration management, identity and access management, security training, data protection and privacy, continuous monitoring, incident response and contingency planning.
Additionally, an influx of new data and software needed to track spending from relief programs passed by Congress in the wake of the coronavirus pandemic has introduced new vulnerabilities in the agency’s threat model that it has yet to account for.
“In FY 2021, SBA continued to face significant security challenges in carrying out the requirements of the pandemic relief programs. SBA needs to update and implement security operating procedures and address newly identified vulnerabilities in its systems,” auditors wrote. “We identified that control improvements are needed in system software inventory management, patching, user recertification, and in deployment of a comprehensive supply chain risk management policy.”
Each of SBA’s nine IT security domains were judged along four levels of maturity: managed and measurable, consistently implemented, defined or ad-hoc. Only “managed and measurable” is considered effective, but it doesn’t require a perfect or near-perfect score. To achieve it, the domain must score highly in just four out of seven metric questions, a bare majority.
Only one aspect of SBA’s cybersecurity operations, incident response, met that standard. That led the agency’s watchdog arm to classify the entire security program as “not effective.”
The audit measured how SBA’s security program stacked up to requirements listed in the Federal Information Security Modernization Act, a 20-year-old law that has become the primary means of regulating information security operations across the civilian federal government. As technology advanced and hacking threats grew more sophisticated, lawmakers have periodically updated the law over the years, and the House and Senate are currently negotiating another update that would incorporate newer entities, like the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the National Cyber Director, into the FISMA hierarchy.
Many of the shortfalls listed in the report stem from failures to strictly follow the letter of the law. For instance, it requires agencies to develop comprehensive lists of devices and systems connected to the agency network. SBA did not keep theirs up to date despite a similar finding last year and assurances that new polices were in place.
Their supply chain management policies — a major concern for the federal government following the SolarWinds compromise and other third-party intrusions — were deemed “ad hoc,” with no formal policy from the chief information officer (CIO) for how contract or acquisition officials should handle potential threats and agency officials saying they were consulting general guidance from the National Institute for Standards and Technology (NIST) to determine procedures.
Overall patch management, another long-standing problem highlighted in previous audits, remains a weakness.
At least one unnamed system was not regularly scanned, violating SBA policy. There was also no formal agency policy or timeline in place for patching and remediating certain vulnerabilities and misconfigurations (agencies are required through a binding directive from CISA to quickly patch high impact or known, exploited vulnerabilities.)
“If SBA does not promptly make security updates when they become available, there is an increased risk the confidentiality, integrity, and availability of the data residing on information systems could be compromised,” auditors warned. “There is also an increased risk that existing or new vulnerabilities could expose information systems and applications to attacks, unauthorized modification, or compromised data.”
In a written formal response, SBA Acting Chief Information Officer Luis Campudoni concurred with the 10 recommendations issued by auditors. As of the report’s release, all 10 are listed as resolved, though many describe actions in the future tense. Campudoni said the agency’s information security program “continues to mature” and the changes will help SBA comply with a range of federal cybersecurity mandates.
“These capabilities ensure the SBA is well-positioned to align to executive branch goals such as the FY2022 Chief Information Officer Metrics and the Executive Order 14028 initiatives, as well as enabling the SBA to rapidly respond to recent well-publicized global cyber events with minimal impact and no indications of compromise,” Campudoni wrote.