Lawmakers press for deadline on SBA cybersecurity woes

Lawmakers press for deadline on SBA cybersecurity woes

House lawmakers on Thursday pushed the leader of the Small Business Administration to work quickly to resolve cybersecurity concerns at the agency.

“I’d like your commitment to resolving outstanding [Government Accountability Office] recommendations by June 30 and having our staff briefed on that process on a monthly basis,” House Small Business Committee Chairman Steve Chabot (R-Ohio) said during a hearing on overall mismanagement at the agency.

Administrator Maria Contreras-Sweet committed to the monthly reports but stopped short of agreeing to Chabot’s deadline.


“I will work with God’s speed to meet your deadline,” Contreras-Sweet said.

At issue during the hearing was a September GAO report that found the SBA has not implemented more than 30 inspector general recommendations related to IT security.

“Contrary to [Office of Management and Budget] guidance SBA has not conducted regular reviews of its operational IT investments to ensure that they continue to meet agency needs,” the report reads.

“Until SBA fully implements all of the required IT management initiatives, the agency cannot provide reasonable assurance that its IT investments are cost-effective, meet agency goals, or are effectively managed,” it continues.

The GAO report also dinged the agency on its poor organizational structure and risk management, among other things, but Chabot on Thursday asked Contreras-Sweet to prioritize the cybersecurity problems.

“If I were you, I’d start with these IT and cybersecurity deficiencies,” Chabot said in his opening statement. “That’s what worries me the most.”

Contreras-Sweet called the inquiry into what is being done to address the GAO’s concerns surrounding IT “a fair question.” She went on to cite a completed upgrade to the agency’s loan management and accounting system as evidence that progress was being made.

While several lawmakers complimented Contreras-Sweet on her passion and proactive approach, not all committee members were satisfied by her responses.

"I’m a little disappointed in the approach of the hearing in terms of the responses,” said Rep. Chris Gibson (R-N.Y.). “I certainly appreciate how you’ve pointed out what you did with the resources to support small businesses, but really, the focus here is on improving what are very disturbing findings from the GAO.”

The GAO report found that despite its failure to fully implement many of the IG’s recommendations, the SBA has increased its emphasis on cybersecurity, establishing policies to consolidate the number of its data centers and manage software licenses for IT investments.

The committee heard testimony on the same subject from the GAO on Wednesday, where several lawmakers questioned whether the SBA is taking the GAO’s recommendations to heart.

Those concerns were echoed on Thursday, with lawmakers questioning why the SBA insisted on having a lawyer present during the GAO’s investigation. Contreras-Sweet was unable to identify who ordered the presence of legal counsel.

Contreras-Sweet took over as administrator of the SBA in April 2014.