The Small Business Administration has a tight deadline to address 30 IT security recommendations from its inspector general.
House Small Business Committee Chairman Steve Chabot (R-Ohio) wants SBA to resolve those problems by June 30 and expects a monthly report on the agency’s progress in meeting its goals.
“I commit to you to reporting to you on a regular basis and will work with godspeed to make your deadline,” SBA Administrator Maria Contreras-Sweet told the committee at a Jan. 7 hearing, the second of a two-day probe on the agency’s management challenges.
The committee mainly focused on the 69 recommendations the Government Accountability Office released in September 2015. As of December, SBA addressed seven of them so far and has 62 more to resolve.
IT, cyber biggest concerns for the committee
IT in particular has been a challenge for the agency for more than 15 years, GAO said.
“My biggest concern is on the IT security issue,” Chabot said. “Because we have seen the White House, for God’s sake, as well as a whole bunch of other federal entities, hacked. …These small businesses give you a lot of sensitive information, so let’s protect that. I appreciate your commitment to do that and report to us on a regular basis. We said monthly, but we’re willing to be reasonable.”
SBA’s IT systems are secure, namely because the financial institutions it works with have ensured their own data security, Contreras-Sweet said. The agency is in the process of meeting National Institute of Standards and Technology security and privacy controls, specifically NIST 800-53 Rev. 4.
“The fact that the financial institutions who review our system and are comfortable connecting gives me solace,” she said. “But I have an auditor who comes in and has found no material weaknesses in our system. We haven’t had a breach.”
But some members of the committee were more skeptical.
“Whenever you say that we’re doing this according to all these protocols and you have a GAO study that says that you’re way behind in getting things done in regards to their assessments of not being able to do everything, when you have standard operating procedures that are being called into question, I’m not sure that the citizens can have great faith in what you’re saying,” said Rep. Blaine Luetkemeyer (R-Mo.).
The SBA has also been without a permanent chief information officer, since former CIO Renee Macklin left the agency over the summer.
Contreras-Sweet said she and her team have been looking to Silicon Valley for a candidate to take on the CIO job, but she gave no indication that she had selected a person or when she might fill that position.
“We’re getting candidates, we’re going to the right places to find the right people, but it’s tough governmentwide to attract top technology talent, because [of] the salary structure and compensation in government compared to the private sector,” she said. “But I’m determined and I think we’re going to be successful to do it.”
People and culture
Many of SBA’s management challenges stem from “organizational structure [that] created complex overlapping relationships among offices,” said Bill Shear, director of financial markets and community investment at GAO.
When Shear was asked to speak candidly about his observations of SBA’s management challenges, he pointed to an overall lack of communication and siloed relationships between the agency’s leaders and its employees. His insight, he said, is based on the interviews GAO conducted with employees at the SBA’s district office.
“The concern was raised that we were giving a platform for people to complain,” Shear said. “This might just come from one or two people from SBA, but I don’t get the sense that employees at SBA feel that they can offer honest feedback to their leadership.”
Contreras-Sweet stood behind the culture at her agency.
“I have to take that seriously, there’s no question I have to take that seriously,” Contreras-Sweet said. “My reality is that they step forward at town halls, it’s an open town hall. I take people out to lunch and say what’s going on? I walk the floors and say tell me [how] you’re day is going, I get emails from people. If the GAO is making this comment, I’ll look into it. Then there must be a challenge.”
Contreras-Sweet has been administrator for about 20 months, one of the longer tenures by a SBA leader over the past 10 years. The agency has had eight different permanent and acting administrators since 2005. There have been eight different general counsels and seven CIOs within the same time frame.
Members of the committee wanted to know why so many people have moved in and out of SBA leadership positions. Contreras-Sweet said she didn’t have an answer but called appointees like herself as often “victims of the political process.”