House lawmakers Wednesday questioned recent Small Business Administration IT investments after issues with its loan portals have hampered applicants’ ability to receive economic relief amid the coronavirus pandemic.
SBA made technical improvements to lessen the demand on its overloaded E-Tran loan system, Deputy CIO Guy Cavallo told the Committee on Small Business’ Oversight Subcommittee Wednesday. But those changes aren’t a substitute for modernizing E-Tran, which SBA planned to replace back in 2015, said Rep. Judy Chu, D-Calif., the subcommittee chair.
“The agency can’t rely on a system that is incapable of meeting high demand in a crisis,” Chu said.
SBA’s Office of the CIO doubled E-Tran’s network connectivity a week or two before the agency began accepting Paycheck Protection Program (PPP) applications for forgivable loans up to $10 million to keep workforces employed during the pandemic.
The office also approved a “significant” hardware investment to improve E-Tran’s “horsepower” and built a lender gateway as a cloud-based app to lessen the front-end load — allowing small banks to apply for PPP loans more easily, Cavallo said.
“For something like E-Tran, that we can’t modernize overnight, what we’re trying to do is put a new front-end in front of it so that the small business owner or the citizen is able to more easily interact with the system,” Cavallo said. “We were able to do that successfully for a number of these programs.”
Still, the PPP portal went down for four hours during launch and crashed again when it reopened in late April. The Government Accountability Office foresaw such an occurrence in a 2014 report, where it warned SBA was “unprepared” for a large number of disaster loan applications at the beginning of a response.
SBA also ran into trouble with its Economic Injury Disaster Loan (EIDL) portal, when the personally identifiable information (PII) of about 8,000 applicants was potentially exposed for several hours. The overwhelming demand for EIDL loans, $1,000 per employee for up to 10 employees, also led to outages, so OCIO developed an interim, cloud-based solution to intake applications until the finalized portal was ready.
“However — while making multiple system changes in the middle of the night in such a short time — a mistake was made in one of the system’s configuration, which actually exposed PII data for some individuals,” Cavallo said.
The 6 a.m. error was discovered within three hours, reported to the U.S. Computer Emergency Readiness Team an hour after that, and fixed. The General Services Administration completed free credit monitoring for potential victims on March 29 and 30, with offer letters sent out once addresses could be validated.
Some recipients thought the letters themselves were a scam, and affected businesses were forced to reapply for EIDL loans and shut out of the program when SBA leadership decided to limit applications to agricultural businesses, Chu said.
E-Tran is handling loan applicant traffic currently, but lawmakers wanted to know how SBA intends to avoid outages in the future.
SBA received an additional $2.1 billion to staff up during the pandemic, much of which has gone toward the IT help desk and network and security operations centers, Cavallo said.
“SBA has made some questionable IT investments into its contracting and business development programs, making various attempts to streamline application processes and enhance staff oversight and management of these programs,” said Rep Ross Spano, R-Fla., the subcommittee’s ranking member.
The agency also spent $27 million on its new certify.sba.gov identity authentication platform, which has yet to be “fully realized,” Spano said.
In its 2019 Federal Information Technology Acquisition Reform Act scorecard, SBA received a C grade for IT portfolio management and a D grade for cybersecurity.
Cavallo argued SBA still has the third-highest cumulative score in government. The agency is further helping the Department of Homeland Security implement the Continuous Diagnostics and Mitigation program in a new, cloud-based solution.
“We think the combination of those scores do not accurately reflect where we are today,” Cavallo said. “Otherwise DHS would not have selected us to pilot two critical cybersecurity pilots with them that have changed federal policy.”