Audit · Small Business Administration OIG · 2022-09-27 · about Small Business Administration
| # | Status | Text |
|---|---|---|
| 1 | Open | Ensure the existing SBA System Development Methodology is updated to include supply chain risk-management practices as required by OMB Circular A-130 and high-value asset system designation guidance. Also, ensure high-value asset system risks are… |
| 10 | Open | Implement an automated process to document and monitor system changes as recommended by NIST SP 800-53 Rev. 5. |
| 2 | Open | Communicate and enforce the SBA System Development Methodology in which a traceability matrix is used to ensure that system requirements can be tested and demonstrated in the operational system. Ensure all requirements are aligned with the contractual… |
| 3 | Open | Implement in updated agency guidance, the requirements of OMB Circular No. A-123 that stipulate a SOC 1 Type 2 report is needed for all new and existing financial systems. This guidance should also require confirmation at least annually that the… |
| 4 | Closed | Enforce the requirement to establish and implement internal controls to ensure appropriate program officials perform and document contract reviews to ensure that information security is appropriately addressed in the contracting language, as required… |
| 5 | Open | In conjunction with the Enterprise Risk Management Board, implement enterprise-wide privacy risk mitigation practices that can be assimilated into new and existing system program designs. |
| 6 | Open | Complete an initial assessment and authorization for each information system and all agency-designated common controls before operation. |
| 7 | Open | Transition information systems and common controls to an ongoing authorization process (when eligible for such a process) with the formal approval of the respective authorizing officials or reauthorize information systems and common controls as needed… |
| 8 | Open | Review and update POA&Ms at least quarterly as required by SOP 90 47 6. |
| 9 | Closed | Ensure data-sharing agreements are reviewed annually as required by SBA SOP 90 47 6. |