SBA Watchdog Warns of IT Security Risks, Poor Data in Contracting Goals

The Small Business Administration has made solid headway in addressing most of its 10 major management and performance challenges, but took a step backward on information technology security, its inspector general reported.

SBA also falls short in verifying data and toughening enforcement to curb the number of large companies that improperly win contracts intended for small businesses, according to a report and score card released Oct. 15.

Noting that recent governmentwide security breaches have “heightened the importance of continuously monitoring networks and software applications,” the IG and an external auditor identified IT security “weaknesses when on-boarding and separating SBA personnel,” the report said. The agency lost ground over the past year in implementing such recommendations as reporting IT security weaknesses, segregating duty controls and assuring that “access controls are in place and operating effectively, and contractors are not granted system access until they have obtained the required background investigations and/or security clearances.”

On the SBA-led governmentwide effort to award 23 percent of all prime contracts to qualified small businesses, the score card provides ammunition to outside critics who argue that too many large firms are siphoning off contract set-asides. Citing past IG reports and others from the Government Accountability Office criticizing SBA’s data on set-asides, the new report noted that “while some contractors may misrepresent or erroneously calculate their size, the incorrect reporting also results from errors made by government contracting personnel, including the misapplication of small business contracting rules.”

SBA reported in June that all agencies had met or exceeded the contracting goal.

Last year, the IG identified more than $400 million in fiscal 2013 contract actions that “may have been awarded to ineligible firms,” the new report said, along with $1.5 billion that went to firms that were no longer in the 8(a) Business Development or Historically Underutilized Business Zone (HUBZone) Programs. Awards to ineligible companies damage SBA’s credibility, the report said.

In its recommendations, the IG criticized SBA for giving priority to granting its women-owned small businesses program sole-source contracting authority without simultaneously implementing a small-business certification program to be run by a federal, state or approved nonprofit entity.

Other SBA performance and management challenges on the list involved human capital, lender oversight, the 8(a) Business Development Program, loan agent fraud, the loan management and accounting system,  improper payments in the 7(a) business loan program (the agency’s largest loan program), the disaster loan program and acquisition management.

Overall, the SBA progress scores went up on nine problem areas and down in only one. The agency demonstrated some progress in implementing 20 recommendations, and limited or no progress in only 11.

(Image via wk1003mike / Shutterstock.com)