Here is a sentence the Small Business Administration would prefer you skip. The same agency that is publicly suspending borrowers, referring 562,000 loans to Treasury collections, and signing surveillance contracts to find fraud just got audited on its own information security program, and it did not pass with anything resembling a clean grade. An independent auditor reviewing the SBA's performance under the Federal Information Security Modernization Act found that the agency has written security policies but has not consistently implemented them. Which is a polite way of saying the rules exist in a binder somewhere and the systems did not get the memo.
The maturity model used in these reviews runs one to five. Five is the goal. Six of the SBA's security domains came back rated "defined," which is a two out of five. Two. Out of five. On a scale where five is what you are supposed to be.
The Six Domains That Scored A Two Out Of Five
The audit rated six separate domains at the second-lowest maturity level: cybersecurity supply chain risk management, risk and asset management, configuration management, identity and access management, contingency planning, and information security continuous monitoring. Read that list slowly. Those are not exotic, cutting-edge categories. That is the foundational plumbing of keeping a federal agency's data from walking out the door. Knowing what hardware you own. Knowing who has access. Watching your own systems. Having a plan for when something breaks.
Three other domains scored slightly better at "consistently implemented," a three out of five: cybersecurity governance, data protection and privacy, and security training. A three is not a victory lap. A three is "we do this most of the time, when someone is watching."
The Specific Findings Are The Punchline
The auditors did not stop at maturity scores. They listed the actual technical problems, and every line of it is the kind of thing the SBA would flag as a red flag if it found it at a borrower:
- Inconsistent enforcement of multi-factor authentication for both privileged and non-privileged users. The agency hunting identity-theft loan fraud does not consistently require a second factor to log into its own systems.
- A lack of annual user access reviews. Nobody is reliably checking who still has the keys. Accounts get created. Accounts apparently do not get checked.
- Incomplete or nonexistent contingency plans. The "what do we do when the system goes down" document is, in places, blank.
- Hardware and software asset inventories that were not always kept up to date. The agency does not always know what machines and programs it is running. The SBA blamed this on its ongoing transition to a new management system, which is the institutional version of "my dog ate the asset inventory."
The Part Where It Catches A Faint Break
To be fair, and LOLSBA is occasionally fair, the SBA did surpass the federal baseline for incident response, earning an "optimized" rating there. So when something goes wrong, the agency is rated as good at reacting. It is the not-letting-it-go-wrong-in-the-first-place column where the scores collapse. That is a familiar shape. The SBA has always been better at the cleanup press conference than at the prevention nobody applauds.
The report closed with 17 new recommendations to fix the agency's IT security program. The SBA agreed with all 17. Agreeing with all of them is easy. Agreeing with all of them is also what the agency did the last time, and the time before, which is how you end up with six domains still parked at a two out of five.
The Hypocrisy Is The Whole Story
Sit with the timeline. This is the agency that suspended 6,900 Minnesota borrowers, flagged 111,620 California borrowers over $8.6 billion, shipped 562,000 loans worth $22.2 billion to Treasury for aggressive collection, and brought in Palantir to industrialize the fraud hunt. The public posture is total competence in the pursuit of bad actors. The internal reality, per its own watchdog, is multi-factor authentication it does not consistently enforce and an asset inventory it cannot keep current.
If a PPP borrower told a fraud investigator "I have policies, I just have not consistently implemented them," that borrower would be on a suspension list by lunch. When the SBA says it about its own network, it gets 17 recommendations and a year to think about it.
What The Headline Should Have Said
- The SBA's own inspector general found the agency's information security program failed to consistently implement its written policies.
- Six core security domains scored a two out of five on the federal maturity scale, including identity and access management and configuration management.
- Multi-factor authentication is not consistently enforced, annual access reviews are missing, and some contingency plans do not exist.
- The agency could not always keep an accurate inventory of its own hardware and software.
- The SBA agreed with all 17 recommendations, the same way it agrees with recommendations every cycle while the foundational scores stay parked.
The Pattern, In One Line
Hunt the fraud loudly. Secure the house quietly, if at all. The SBA can build a nationwide surveillance dragnet to read everyone else's paperwork and still cannot reliably make its own staff use two-factor login. The fraud-prevention agency keeps proving the most reliable thing it produces is irony.