SBA Inspector General Notes Significant IT Challenges for Fiscal Year 2022
Written by Dave Nyczepir
The Small Business Administration continues to face significant challenges in IT investment, systems development and security controls as we head into fiscal 2022, according to its Office of the Inspector General.
In a new report released on Friday, the watchdog warned that these challenges could continue as it sues and returns money from the Economic Disaster Loan (EIDL) fraud and check protection program. payroll (PPP).
Earlier this year in March, the Office of the Inspector (OIG) of the Small Business Administration (SBA) found that the department had issued duplicate $ 692 million in pandemic relief loans, in part due to of vulnerabilities within the E-Tran application system.
The agency has struggled with expensive IT projects over the past decade, but the pandemic has exacerbated the problem by forcing the rapid creation of relief loan portals and diverting resources from daily security compliance.
The dramatic chain of events caused by the COVID-19 relief funding the agency received last year highlighted the significant need for the agency to invest in IT upgrades to improve interfaces portal for small businesses, ”reads the SBA OIG report.
The report highlighted significant progress in improving IT investment controls, including increased oversight of the Certify.sba.gov platform. Despite efforts to improve access for small businesses, the platform has been plagued by problems.
The OIG found that the SBA’s system development policy has not been updated since 2009, meaning that risk management and security controls do not currently reflect the changing landscape of IT applications. .
Although the SBA has improved security checks, more work is needed, according to the report. The agency has only achieved a Federal Information Security Management Act Level 4 maturity model, which means the domain is managed, and measurable, in response to incidents.
SBA’s information security effectiveness in seven other areas was either Level 3, meaning consistent implementation, or Level 2, defined. This means that SBA’s overall information security was not found to be effective.
Despite advances in automated security control testing and the protection of personally identifiable information, SBA still struggles with user access, configuration management, and security training. Risk management and configuration controls require more work, and SBA needs to update the systems operating permissions, according to the report.
SBA OIS also suggested that the agency follow action plans and update software and hardware inventories.
Another challenge for the SBA is inaccurate procurement data and eligibility issues in small business procurement programs that undermine the reliability of the agency’s procurement achievements.
Contracting officers have a history of improperly awarding contracts to small, women-owned businesses without the proper documentation. The SBA has made substantial progress in addressing abuse under the Federal Women-Owned Small Business Certification Program with the launch of beta.Certify.sba.gov, intended to replace Certify.sba.gov.
The SBA CIO’s office wants a viable IT solution for all certification programs.
“The agency intends the new certification management portal beta.Certify.sba.gov to modernize a process that has been difficult for decades,” the report read. “However, the system has been plagued by technical challenges that could prevent the achievement of the program’s objectives.”
Since launching in 2020, beta.Certify.sba.gov has made “slow progress” in issuing rapid certifications, according to the report.
A third IT related SBA challenge is the management and monitoring of Business Development Program 8 (a). No IT system has been fully in place for regular performance monitoring and reporting to ensure that participants are following their business plans, SBA OIG found.
The last of the SBA’s IT challenges is rigorous oversight of grant management due to an inaccurate award date for financial and performance reporting.
Originally, the Supply Requisition Information System (PRISM) management generated reports on technical assistance programs, but required manual data entry, resulting in data entry errors.
The SBA has since made significant progress in modernizing its grant management system through a 2019 interagency agreement with the Department of Health and Human Services for transition analysis, infrastructure configuration and training. to launch GrantSolutions.gov. The agency will spend $ 2.5 million over five years on the system, but obstacles remain.
“Until the agency integrates the financial interface, program offices are still required to use the PRISM system, which is not fully integrated with the SBA’s financial system and requires manual entry to initiate funds and authorize payments to grant recipients, “the report reads. “Without an effective grant management system, the agency must continue with manual and tedious processes to manage compliance requirements, which may continue to hamper its ability to effectively oversee and manage SBA grant programs.”