SBA champions response to data exposure – FCW
SBA defends response to data exposure
Notification of a potential personal data exposure for 8,000 small business loan applicants seeking to maintain payrolls during the COVID-19 pandemic took longer than the Small Business Administration intended because the agency had to break a contract for credit monitoring services for victims, the agency’s deputy said. CIO told a House affairs subcommittee Wednesday.
“I wish it was faster, but that’s the time it took to get there,” Guy Cavallo, SBA deputy IT director, told the Investigations subcommittee on July 22. , oversight and regulation of the House Small Business Committee. Cavallo told the subcommittee that the SBA has been working as quickly as possible to shut down the data exposure, as well as to notify companies whose data may have been affected.
It took hours to close the exhibit, but notification of potential victims took significantly longer, according to Cavallo, as the SBA had to contract to provide them with free credit monitoring services.
Cavallo’s response was a request from subcommittee chair Judy Chu, D-Calif., On why the SBA took until April 15 to send letters to potentially affected companies, when the exhibit occurred on March 25.
The “data exposure,” which SBA Economic Disaster Lending (EIDL) applicants experienced in March, was corrected in three and a half hours, Cavallo said, but the process for providing free services monitoring credit to potentially affected people took longer because the agency did not have an existing contract with a credit monitoring service provider to provide these services.
“We had to go to GSA [General Services Administration] to compete with it, ”he said. “We did it from March 29 to 30. Once assigned, the vendor looked at the logs and found that some did not have valid addresses and information “that needed to be corrected,” he said.
Cavallo made it clear to Chu that the March incident was not a data breach, but a potential data exposure. Both are serious, he said, but a data breach means bad actors have access to data for extended periods of time, or even potentially download it. Data exposure, he said, is more transient.
Chu said the incident “clearly shows that SBA’s IT needs to be improved,” also citing a 2014 Government Accountability Office study that found that the SBA IT was not prepared for a downturn. disaster requiring a massive response.
Under the leadership of SBA CIO Maria Roat, said Cavallo, the agency’s IT office has been working hard since 2016 to implement more modern and responsive commercial cloud platforms than existing systems.
This work, he said, laid the groundwork to create flexible and scalable support for EIDL, the Payroll Protection Plan, the Customer Service Center and other customer support platforms. small businesses in its COVID response. All of these platforms were implemented in eight days, he said. Some initial issues, such as delays in accessing the Small Business Disaster Lending Portal for apps, were mitigated by the flexibility of cloud platforms, he said.
The work the SBA has done over the past three and a half years to implement the cloud has also enabled it to rapidly advance what has been lagging behind in cybersecurity, he said.
According to the Federal Information Technology Acquisition Reform Act (FITARA) Scorecard from the Committee on Oversight and Government Reform, the SBA has improved its IT infrastructure overall, but still scores a “D”. On cybersecurity, Chu said in his opening statement. “This is of particular concern given the cybersecurity breach that occurred with the EIDL app. “
During his testimony, Cavallo highlighted two pilot programs he conducted with the Department of Homeland Security to understand cloud-based continuous diagnostics and mitigation (CDM) and Trusted Internet Connections (TIC), as proof that the SBA is making significant progress in cybersecurity.
“Otherwise, DHS would not have chosen the use to pilot two critical cybersecurity pilots that changed federal policy,” he said.
Mark Rockwell is a senior editor at FCW, whose Pace focuses on Acquisition, the Department of Homeland Security and the Department of Energy.
Prior to joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security, from IT to detector dogs and border security. Over the past 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide range of high-tech issues for publications such as Communications Week, Internet Week, Fiber Optics News, the tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work on telecommunications issues and is a graduate of James Madison University.
Click here for previous Rockwell articles. Contact him at [email protected] or follow him on Twitter at @ MRockwell4.