Fiscal Year 2023 Federal Information Security Modernization Act

This report summarizes the results of our fiscal year 2023 Federal Information Security Modernization Act (FISMA) of 2014 evaluation and assessment of the U.S. Small Business Administration’s (SBA) information security systems policies, procedures, and practices.

Our objectives were to determine whether SBA complied with FISMA and assess the maturity of controls used to address risks in each of the nine security domains.

There are five open recommendations from two previous evaluations. In this report, we made 11 recommendations for improvements in 6 domains: risk management, supply chain risk management, identity and access management, data protection and privacy, security training, and contingency planning. We did not repeat recommendations from previous years being implemented in the areas of risk management, supply chain risk management, and contingency planning. The agency agreed with all 11 recommendations.