Republicans on the House Small Business Committee on Wednesday said they fear that the Small Business Administration (SBA) is not adequately safeguarding sensitive data.
During a hearing on mismanagement of the agency, Chairman Steve Chabot (R-Ohio) referenced a September Government Accountability Office (GAO) report that found the SBA has not implemented more than 30 inspector general recommendations related to IT security.
“There are issues identified by the IG that require attention. It’s a very serious issue,” said William Shear, Director of Financial Markets and Community Investment at the GAO.
Chabot’s concerns were echoed by Blaine Luetkemeyer (R-Mo.).
“One of [the SBA’s challenges] is extremely important, is the security of the data the agency holds,” Luetkemeyer said.
The report found that despite its failure to fully implement many of the IG’s recommendations, the SbA has increased its emphasis on cybersecurity, establishing policies to consolidate the number of its data centers and manage software licenses for IT investments.
“However, contrary to [Office of Management and Budget] guidance SBA has not conducted regular reviews of its operational IT investments to ensure that they continue to meet agency needs,” the report reads.
“Until SBA fully implements all of the required IT management initiatives, the agency cannot provide reasonable assurance that its IT investments are cost-effective, meet agency goals, or are effectively managed,” it continues.
The GAO report also dinged the agency on its poor organizational structure and risk management, among other things.
Several lawmakers questioned whether the agency is taking the GAO's recommendations to heart.
"It doesn't feel like there's any urgency of this, and yet we know that 2 to 3 percent of business loans in this country flows through them, and that number is growing," said Rep. Richard Hanna (R-NY). "What do we do about this? It sounds like we're going to have the same meeting next year."
Shear said it felt that there was a "slight" positive change in the SBA's response to oversight.
The committee will hear testimony from SBA Administrator Maria Contreras-Sweet on Thursday.