IT Modernization: SBA Urgently Needs to Address Risks on Newly Deployed System

What GAO Found

In 2023, the Small Business Administration (SBA) started the Unified Certification Platform project. This project is intended to allow small businesses to more efficiently apply for and maintain certifications to SBA's contracting assistance programs, compared to legacy certification systems.

SBA originally anticipated deploying the system in September 2024. In June 2024, SBA announced a pause, effective August 1, 2024, in accepting new applications for certification. GAO expressed concerns regarding the agency's pause in accepting new applications until the certification system is deployed. GAO also noted that SBA triggered questions about risks and available mitigation strategies if full deployment did not occur in September or if there were system performance issues after deployment. The risk of a deployment delay was eventually realized, as SBA delayed UCP deployment to address system issues identified during testing. SBA subsequently deployed the UCP system on October 18, 2024, but work remains to develop additional, more complex functionality, secure the system, and migrate data.

GAO's analyses of SBA's efforts show that leading practices for risk management, cybersecurity, and schedule and cost estimation have not been fully implemented. Accordingly, SBA faces an increased risk of additional delays as it completes remaining work and may face challenges with addressing system issues that arise.

Extent to Which the Small Business Administration (SBA) Met Selected IT Management Areas for the Unified Certification Platform Modernization

IT management area	Overall assessment
Risk Management	◔ Minimally met
Cybersecurity	◑ Partially met
Schedule	○ Not met
Cost	◔ Minimally met

Source: GAO analysis of SBA data. | GAO-25-106963

GAO identified critical management gaps:

• SBA did not have a project level risk management strategy, a risk mitigation plan, and did not fully identify and document risks.
• SBA did not document plans for managing cybersecurity risks or conduct a traceability analysis to ensure project security requirements had been met. This increases the likelihood of a successful cyberattack.

Further, the project's schedule and cost estimates were unreliable. SBA did not create an integrated master schedule; instead, it used a "road map" that did not meet the characteristics of a reliable schedule. SBA's cost estimate largely relied on subject matter expertise instead of supporting data or methodologies.

SBA issued an interim authority to operate for the system in August 2024 while it continues to implement IT security controls. Under schedule pressure, SBA could decide to accept known risks and issue a final authorization to operate with issues not being fully resolved. If taking such an action, consideration of the probability and resulting impact of accepted risks is essential.

Why GAO Did This Study

In fiscal year 2023, the federal government awarded $178.6 billion in contracts to small businesses. SBA promotes small business participation in federal contracting through a variety of contracting assistance programs. These programs rely on multiple IT systems. However, SBA's past attempts to modernize its IT systems experienced challenges and did not deliver expected results.

GAO was asked to review SBA's Unified Certification Platform project. This report (1) describes the project's plans and status, and (2) evaluates the extent SBA has adopted leading practices for risk management, cybersecurity, and schedule and cost estimation for the project. To do so, GAO summarized and analyzed relevant documentation and compared SBA's risk management, cybersecurity, and schedule and cost estimation efforts to leading practices. GAO also interviewed SBA officials.

Public link

Please use the above public link if you want to share this noodl on another website.