Reports

Ensure the existing SBA System Development Methodology is updated to include supply chain risk-management practices as required by OMB Circular A-130 and high-value asset system designation guidance. Also, ensure high-value asset system risks are incorporated into the enterprise risk management framework, as recommended by OMB M-19-03 and SBA SOP 90 47 6.

Implement an automated process to document and monitor system changes as recommended by NIST SP 800-53 Rev. 5.

Communicate and enforce the SBA System Development Methodology in which a traceability matrix is used to ensure that system requirements can be tested and demonstrated in the operational system. Ensure all requirements are aligned with the contractual acceptance criteria.

Implement in updated agency guidance, the requirements of OMB Circular No. A-123 that stipulate a SOC 1 Type 2 report is needed for all new and existing financial systems. This guidance should also require confirmation at least annually that the controls are functioning as designed.

Enforce the requirement to establish and implement internal controls to ensure appropriate program officials perform and document contract reviews to ensure that information security is appropriately addressed in the contracting language, as required by OMB Circular A-130 and SBA SOP 90 47 6.

In conjunction with the Enterprise Risk Management Board, implement enterprise-wide privacy risk mitigation practices that can be assimilated into new and existing system program designs.

Complete an initial assessment and authorization for each information system and all agency-designated common controls before operation.

Transition information systems and common controls to an ongoing authorization process (when eligible for such a process) with the formal approval of the respective authorizing officials or reauthorize information systems and common controls as needed, on a time or event-driven basis in accordance with agency risk tolerance, as required by OMB Circular No. A-130 and SOP 90 47 6.

Review and update POA&Ms at least quarterly as required by SOP 90 47 6.

Ensure data-sharing agreements are reviewed annually as required by SBA SOP 90 47 6.