Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

IG: SBA’s Cybersecurity ‘Not Effective,’ In Part Due to COVID

The pandemic created new cybersecurity problems for the Small Business Administration, according to the agency’s annual FISMA report.

The weight of administering a multibillion-dollar emergency aid program and other pandemic-related stressors in 2020 weakened the cybersecurity posture of the Small Business Administration, according to the agency inspector general.

“We rated SBA’s overall program of information security as ‘not effective’ because SBA only achieved a maturity level rating of ‘managed and measurable’ in one of the eight domains,” according to the annual Federal Information Security Management Act, or FISMA, report released Tuesday.

The IG notes 2020 was a busy year for SBA, which “had an unprecedented volume of loan and grant applications because of the CARES Act and other pandemic-related legislation” that put the agency in charge of dispersing billions of dollars in funding. This added workload created new security challenges, the audit states.

“Consequently, SBA needs to update and implement security operating procedures and address newly identified vulnerabilities in its systems,” the report states. “We identified areas that need improvement in controls, including system inventory management, patching, user recertification, and appropriately maintaining authority to operate agreements.”

For instance, IT employees did not update the inventory of systems and data running in cloud environments during the pandemic.

“SBA did not consistently update and monitor its cloud system inventory,” which officials blamed on “competing priorities during the Coronavirus disease pandemic.” Without a full inventory of systems and data using cloud infrastructure, “the agency does not know how much data is stored in and subject to the inherent risks of cloud systems,” the report states.

Similarly, the agency did not have a full and proper inventory of user accounts, including which should have privileged access to sensitive data and systems.

“We identified 11 of 13 new users of two systems for whom SBA could not provide evidence that access had been properly authorized,” the report states. “We also found that during the COVID-19 pandemic, new and existing user accounts were not always authorized due to competing priorities and lack of management oversight.”

The report also found SBA did not properly “reinforce its patch management and configuration policies,” including ensuring patches are tested and approved before being pushed out.

The audit looked at eight areas that contribute to overall security: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning. Those domains were measured on a five-point scale: ad hoc, defined, consistently implemented, managed and measurable, and optimized.

Four of the security domains were rated “defined,” three rated “consistently implemented,” and one—incident response—reached the level of “managed and measurable.”

Anything below the “managed and measurable” level “represents ineffective security,” the report states.

The IG offered 10 recommendations focused on five of the eight security domains. SBA officials agreed with all of the recommendations and provided plans to resolve each.

Auditors found additional security concerns, however, the IG declined to include those that had been discovered and reported on in previous years. As such, this year’s report does not include findings on data protection and privacy, contingency planning or incident response.

Advertisement. Scroll to continue reading.

For the remaining five areas, the IG included results and recommendations for vulnerabilities discovered during or created by the pandemic.

Source: https://www.nextgov.com/cybersecurity/2021/07/ig-sbas-cybersecurity-not-effective-part-due-covid/183122/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Cyber Security

Malware leveraging flaws in edge routers has been spying on military contracting websites, according to research from Lumen’s Black Lotus Labs. Malware leveraging flaws...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO