This report summarizes the results of our fiscal year (FY) 2022 Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains. You may review this report by CLICKING HERE.
We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated SBA’s overall program of information security as “not effective.” We found SBA generally responded to previously identified vulnerabilities. The agency made progress in supply chain risk management and continues to be rated at the effective maturity level for incident response. However, the results of our tests show SBA continues to experience security control challenges in areas of configuration management, risk management, user access, security training, information security continuous monitoring, and contingency planning.
Based on tests of seven information systems, we determined the results of each domain as follows:
- Risk management: Defined
- Supply chain risk management: Defined
- Configuration management: Defined
- Identity and access management: Defined
- Data protection and privacy: Consistently implemented
- Security training: Ad hoc
- Information security continuous monitoring: Consistently implemented
- Incident response: Managed and measurable
- Contingency planning: Consistently implemented
Ratings of defined, ad hoc, and consistently implemented are below the baseline for an effective security program.
In addition to two open FISMA recommendations from prior years, we made six recommendations for improvements in six of the nine domains: risk management, supply chain risk management, identity and access management, information system continuous monitoring, security training, and contingency planning.
SBA management agreed with all six recommendations and outlined corrective action plans to address identified vulnerabilities.