IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System
Fast Facts
The Small Business Administration's contracting assistance programs promote small business participation in federal contracting.
SBA relied on several IT systems to check that businesses are—and remain—eligible for its contracting assistance programs. We looked at SBA's efforts to streamline them into a single system.
We found problems with SBA's management of this project. For example, SBA doesn't have a project cybersecurity risk management plan. It also didn't trace design elements of the new system to related cybersecurity requirements. These gaps increase the risk of security vulnerabilities.
Our recommendations address this and more.
Highlights
What GAO Found
In 2023, the Small Business Administration (SBA) started the Unified Certification Platform project. This project is intended to allow small businesses to more efficiently apply for and maintain certifications to SBA's contracting assistance programs, compared to legacy certification systems.
SBA originally anticipated deploying the system in September 2024. In June 2024, SBA announced a pause, effective August 1, 2024, in accepting new applications for certification. GAO expressed concerns regarding the agency's pause in accepting new applications until the certification system is deployed. GAO also noted that SBA triggered questions about risks and available mitigation strategies if full deployment did not occur in September or if there were system performance issues after deployment. The risk of a deployment delay was eventually realized, as SBA delayed UCP deployment to address system issues identified during testing. SBA subsequently deployed the UCP system on October 18, 2024, but work remains to develop additional, more complex functionality, secure the system, and migrate data.
GAO's analyses of SBA's efforts show that leading practices for risk management, cybersecurity, and schedule and cost estimation have not been fully implemented. Accordingly, SBA faces an increased risk of additional delays as it completes remaining work and may face challenges with addressing system issues that arise.
Extent to Which the Small Business Administration (SBA) Met Selected IT Management Areas for the Unified Certification Platform Modernization
|
IT management area |
Overall assessment |
|---|---|
|
Risk Management |
◔ Minimally met |
|
Cybersecurity |
◑ Partially met |
|
Schedule |
○ Not met |
|
Cost |
◔ Minimally met |
Source: GAO analysis of SBA data. | GAO-25-106963
GAO identified critical management gaps:
- SBA did not have a project level risk management strategy, a risk mitigation plan, and did not fully identify and document risks.
- SBA did not document plans for managing cybersecurity risks or conduct a traceability analysis to ensure project security requirements had been met. This increases the likelihood of a successful cyberattack.
Further, the project's schedule and cost estimates were unreliable. SBA did not create an integrated master schedule; instead, it used a “road map” that did not meet the characteristics of a reliable schedule. SBA's cost estimate largely relied on subject matter expertise instead of supporting data or methodologies.
SBA issued an interim authority to operate for the system in August 2024 while it continues to implement IT security controls. Under schedule pressure, SBA could decide to accept known risks and issue a final authorization to operate with issues not being fully resolved. If taking such an action, consideration of the probability and resulting impact of accepted risks is essential.
Why GAO Did This Study
In fiscal year 2023, the federal government awarded $178.6 billion in contracts to small businesses. SBA promotes small business participation in federal contracting through a variety of contracting assistance programs. These programs rely on multiple IT systems. However, SBA's past attempts to modernize its IT systems experienced challenges and did not deliver expected results.
GAO was asked to review SBA's Unified Certification Platform project. This report (1) describes the project's plans and status, and (2) evaluates the extent SBA has adopted leading practices for risk management, cybersecurity, and schedule and cost estimation for the project. To do so, GAO summarized and analyzed relevant documentation and compared SBA's risk management, cybersecurity, and schedule and cost estimation efforts to leading practices. GAO also interviewed SBA officials.
Recommendations
GAO is making fourteen recommendations to SBA, including that it should (1) expeditiously address critical risk management issues, (2) expeditiously address critical cybersecurity issues, and (3) consider the probability and impact of accepted risks if deciding to issue a final authorization to operate the system. SBA concurred with three, partially concurred with three, and did not concur with eight recommendations. GAO maintains that the recommendations are warranted.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Small Business Administration | The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project risk management issues, including developing a project risk management strategy and risk mitigation plan. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Associate Administrator of SBA's Office of Government Contracting and Business Development to expeditiously address critical UCP project cybersecurity issues, including developing a plan for managing project cybersecurity risks and documenting a traceability analysis for project security requirements. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to consider the probability and impact of accepted UCP deployment risks if deciding to issue a final authorization to operate for the system. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that risk registers or equivalent risk documentation explicitly state risk sources for IT modernization projects. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that parameters to categorize or analyze risks are clearly defined at the project level for IT modernization projects. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that project risk management strategies are established and maintained for IT modernization projects. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that risks are identified and documented for IT modernization projects for all phases of the development lifecycle, including deployment. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that risks are evaluated, categorized and prioritized using defined parameters, and also to ensure that project risk mitigation plans are developed for IT modernization projects. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that identified risk mitigations are connected to a project risk mitigation plan for IT modernization projects. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that IT system acquisition plans and strategic plans for IT modernization projects contain all the information needed to manage cybersecurity risks, including how such risks will be managed, security milestones, how assets will be protected at a program or project level, and security-relevant criteria for selecting suppliers. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that a traceability analysis is performed and documented for IT modernization projects to show the traceability of the security requirements to the design of the proposed IT system solution. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that security-related subject matter experts are involved in the contractor selection process for IT modernization projects. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that integrated master schedules are developed for IT modernization projects using leading practices described in GAO's Schedule Assessment Guide. (Recommendation 13) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Small Business Administration | The Administrator of SBA should direct the Chief Information Officer to establish and implement policies and procedures to ensure that cost estimates for IT modernization projects are developed using leading practices described in GAO's Cost Estimating and Assessment Guide. (Recommendation 14) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|