“Annual inspector general reports on compliance with the Federal Information Security Modernization Act, or FISMA, point to a long road ahead for improving data security at the Small Business Administration and Veterans Affairs Department.”
“Both agencies were dinged for poor identity management, though VA auditors had much more to say about their agency’s security practices.”
SBA Has Some Explaining to Do
“’We evaluated the overall programs as ‘not effective,’ wrote the SBA IG’s office referring to domains that included identity and access management, security training, and information security continuous monitoring. ”
“With more workers logging in remotely due to the coronavirus pandemic, identity credentialing and access management and a record of approved equipment are particularly important for security. But the SBA has not finalized its ICAM strategy, and there is no one in charge of creating an inventory of the agency’s hardware…’
“Regarding SBA’s lack of an official strategy on ICAM, the IG wrote: ‘without a formal ICAM strategy, SBA is unable to implement federal ICAM requirements; therefore there is increased risk that management may not sufficiently identify and mitigate security risks…’”
At the VA, Over a Decade of Noncompliance
“While the SBA IG notes ‘many vulnerabilities were previously identified in a 2018 report,’ independent auditors, CliftonLarsonAllen LLP wrote of the VA: ‘We have identified and reported deficiencies with audit logging for more than 10 years in the annual FISMA reports.’”
“Larry Reinkemeyer, VA’s assistant inspector general for audits and evaluations said, ‘The OIG remains concerned that continuing delays in implementing effective corrective actions to address these open recommendations could contribute to reporting a material weakness in connection with VA’s information technology security controls.’”
“The VA audit raised a host of issues, including failure to ensure assessment teams were adequately independent from the systems under review, and not fully evaluating the effectiveness of security controls…” Read the full article here.
Source: Infosec Reviews Not Good for Small Business Administration, Veterans Affairs Department – By Mariam Baksh, April 1, 2020. Nextgov.