b"<html>\n<title> - 21<SUP>st</SUP> CENTURY SBA: AN ANALYSIS OF SBA'S TECHNOLOGY SYSTEMS</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n               21st CENTURY SBA: AN ANALYSIS OF SBA'S\n                           TECHNOLOGY SYSTEMS\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                    SUBCOMMITTEE ON INVESTIGATIONS, \n                       OVERSIGHT, AND REGULATIONS\n\n                                 OF THE\n\n                      COMMITTEE ON SMALL BUSINESS\n                             UNITED STATES\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              HEARING HELD\n                             JULY 22, 2020\n\n                               __________\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n                               \n\n            Small Business Committee Document Number 116-089\n             Available via the GPO Website: www.govinfo.gov\n                          \n                              __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n41-300                       WASHINGTON : 2021                     \n          \n--------------------------------------------------------------------------------------            \n         \n             \n                   HOUSE COMMITTEE ON SMALL BUSINESS\n\n                 NYDIA VELAZQUEZ, New York, Chairwoman\n                         ABBY FINKENAUER, Iowa\n                          JARED GOLDEN, Maine\n                          ANDY KIM, New Jersey\n                          JASON CROW, Colorado\n                         SHARICE DAVIDS, Kansas\n                         KWEISI MFUME, Maryland\n                          JUDY CHU, California\n                       DWIGHT EVANS, Pennsylvania\n                        BRAD SCHNEIDER, Illinois\n                      ADRIANO ESPAILLAT, New York\n                       ANTONIO DELGADO, New York\n                     CHRISSY HOULAHAN, Pennsylvania\n                         ANGIE CRAIG, Minnesota\n                   STEVE CHABOT, Ohio, Ranking Member\n   AUMUA AMATA COLEMAN RADEWAGEN, American Samoa, Vice Ranking Member\n                          TROY BALDERSON, Ohio\n                          KEVIN HERN, Oklahoma\n                        JIM HAGEDORN, Minnesota\n                        PETE STAUBER, Minnesota\n                        TIM BURCHETT, Tennessee\n                          ROSS SPANO, Florida\n                        JOHN JOYCE, Pennsylvania\n                       DAN BISHOP, North Carolina\n\n                 Melissa Jung, Majority Staff Director\n   Justin Pelletier, Majority Deputy Staff Director and Chief Counsel\n                   Kevin Fitzpatrick, Staff Director\n                           \n                           \n                           C O N T E N T S\n\n                           OPENING STATEMENTS\n\n                                                                   Page\nHon. Judy Chu....................................................     1\nHon. Ross Spano..................................................     3\n\n                                WITNESS\n\nMr. Guy Cavallo, Deputy Chief Information Officer, U.S. Small \n  Business Administration, Washington, DC........................     5\n\n                                APPENDIX\n\nPrepared Statement:\n    Mr. Guy Cavallo, Deputy Chief Information Officer, U.S. Small \n      Business Administration, Washington, DC....................    18\nQuestions for the Record:\n    None.\nAnswers for the Record:\n    None.\nAdditional Material for the Record:\n    None.\n\n \n  21<SUP>st</SUP> CENTURY SBA: AN ANALYSIS OF SBA'S TECHNOLOGY SYSTEMS\n\n                              ----------                              \n\n\n                        WEDNESDAY, JULY 22, 2020\n\n                  House of Representatives,\n               Committee on Small Business,\n     Subcommittee on Investigations, Oversight and \n                                       Regulations,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to call, at 1:02 p.m., in \nRoom 2360, Rayburn House Office Building, Hon. Judy Chu \n[chairwoman of the Subcommittee] presiding.\n    Present: Representatives Chu, Evans, Craig, Chabot, \nBurchett, and Spano.\n    Chairwoman CHU. I call the meeting to order.\n    Without objection, the Chair is authorized to declare a \nrecess at any time.\n    I want to thank everyone, especially our witnesses, for \njoining us today for our Committee's hybrid hearing.\n    I want to make sure to list some important requirements. \nLet me begin by saying that standing House and Committee rules \nand practice will continue to apply during hybrid proceedings. \nAll members are reminded that they are expected to adhere to \nthe standing rules, including decorum.\n    During the covered period as designated by the Speaker, the \nCommittee will operate in accordance with House Resolution 965 \nand the subsequent guidance from the Rules Committee in a \nmanner that respects the rights of all members to participate.\n    House regulations require members to be visible through a \nvideo connection throughout the proceedings, so please keep \nyour cameras on. Also, if you have to participate in another \nproceeding, please exit this one and log in later.\n    In the event a member encounters technical issues that \nprevent them from being recognized for their questioning, I \nwill move to the next available member of the same party, and I \nwill recognize that member at the next appropriate time slot, \nprovided they return to the proceedings.\n    And, finally, remember to remain muted until you are \nrecognized to minimize background noise. In accordance with the \nrules established under House Resolution 965, staff have been \nadvised to mute participants only in the event there is \ninadvertent background noise.\n    For those members physically present in the committee room \ntoday, we will also be following the health and safety \nguidelines issued by the Attending Physician, which includes \nsocial distancing and especially the use of masks. I urge \nmembers and staff to wear masks at all times while in the \nhearing room, and thank you in advance for your commitment to a \nsafe environment here today.\n    I am pleased to be holding this important hearing today to \nlearn more about the Small Business Administration's \ninformation technology systems, IT modernization efforts, and \ncybersecurity strategy. SBA has counted on its technology \nsystems to implement the programs to help entrepreneurs launch \nand grow their small businesses, and millions of small \nbusinesses have relied on them over the past few months to \naccess the assistance they need to survive the coronavirus \npandemic.\n    I would like to thank Mr. Guy Cavallo, the Deputy Chief \nInformation Officer for SBA, for being here today to discuss \nSBA's efforts to modernize its systems and address some of the \ntechnical issues that have hampered the rollout of economic \nrelief programs.\n    Ineffective IT systems have been a persistent problem at \nSBA. While significant progress has been made to upgrade the \nsystem in recent years, the magnitude of the pandemic has \ndemonstrated the need for more modern systems that are safer, \nfaster, and more efficient at delivering services to America's \nsmall businesses.\n    Six months after the first confirmed case in the U.S., our \ncountry remains in the grips of the coronavirus pandemic. Small \nbusinesses have relied on Congress and SBA to help them survive \nthe necessary State-ordered public health lockdowns, \nrestrictions and operating capacity, and significant revenue \nlosses resulting from our fight to contain this virus.\n    This crisis has made it necessary for unprecedented numbers \nof small businesses to rely on your agency's technology to \naccess loan applications, connect to their local resource \npartners, find translated resources, and answer their urgent \nquestions in a timely manner. However, several technical issues \nhave arisen during the pandemic, making it both frustrating and \ndifficult for small businesses to receive the relief they need \nin a timely manner.\n    This Committee acknowledges the toll that this \nunprecedented level of activity has taken on SBA systems, and \nwe commend you and your staff for working around the clock to \nfix several of the issues. The coronavirus has placed a \nhistoric burden on SBA, and we in Congress must ensure that you \nhave the resources you need to assist the American people. But \nmany of these system weaknesses have been known for years and \nshould have been addressed and modernized long before this \npandemic. In fact, some of the issues were brought to SBA's \nattention as early as 2014 by the Government Accountability \nOffice and, in fact, there was a 2011 report from the GAO \nbefore that.\n    According to the Committee on Oversight and Reform's IT \nscorecard, SBA has made improvements to its IT infrastructure \noverall, but is still scoring a D on cybersecurity. This is \nparticularly concerning given the cybersecurity breach that \noccurred with the EIDL application.\n    In late March, SBA detected a vulnerability in the EIDL \napplication, which allowed applicants' personally identifiable \ninformation to be viewed by other applicants. Even more \ntroubling, the individuals that were potentially affected were \nnot notified until mid-April, nearly 20 days after the data \nbreach, and the notification was simply a paper letter.\n    The Committee heard from several recipients who were \ninquiring whether it was a scam or a verifiable document. At \nthe time, SBA had failed to make any public announcement about \nthe breach, again, showing a lack of transparency that had been \na consistent concern for the committee throughout the COVID-19 \npandemic. Affected businesses lost their place in the queue, \nwere forced to reapply, and then were shut out of the program \nwhen SBA inexplicably limited applications to only agricultural \nbusinesses.\n    We recognize that your office was not directly involved in \nthose decisions, but they demonstrate the tremendous downstream \nimpacts faced by small businesses that were affected by the \ninitial IT systems failure.\n    Other problems that arose during the pandemic were related \nto SBA's loan processing system, E-Tran, which is a legacy \nsystem that SBA had planned to replace in an effort to \nmodernize its IT infrastructure. The issues concerning E-Tran \nare not new. In 2014, the GAO reported that SBA may be \nunprepared for a large volume of applications to be submitted \nquickly following future disasters which could result in delays \nin loan funds for disaster victims. And in this report, SBA \nactually stated that E-Tran would be replaced by 2015. However, \nin 2020, SBA is still relying on the same system.\n    Shortly after the launch of the Paycheck Protection Program \nportal, the system was inundated by applicants, causing it to \ngo offline for 4 hours. The system then crashed again a second \ntime when the PPP portal reopened in late April.\n    While we recognize that SBA quickly increased bandwidth to \nincrease the system--to address the system crash both times, \nthe agency cannot rely on a system that is incapable of meeting \nhigh demand in a crisis.\n    The Committee plans to explore what steps must be taken to \nimprove SBA's IT systems moving forward in order to prevent \nthese issues from reoccurring should Congress reauthorize or \nauthorize further small business assistance as we continue to \nfight the virus or if a natural disaster should strike and \ncompound the stress on SBA's systems. It is imperative that \nSBA's technology systems be modernized to meet the demands of \nthe 21st century.\n    With that, I look forward to hearing from Mr. Cavallo on \nthe changes SBA plans to implement to its technology systems \nand what he needs from Congress in order to address these \ntechnical failures to ensure the SBA IT infrastructure is fully \nprepared in the future.\n    I now yield to the Ranking Member, Mr. Ross Spano, for his \nopening statement.\n    Mr. SPANO. Thank you, Madam Chairwoman.\n    While all of the oversight hearings we hold in this \nCommittee are important, examining the state of the SBA's \ninformation technology is truly one of the most vital. We live \nin an era dominated by modern technology and the internet, so \nthere is little else that has changed the way we live our lives \nso dramatically.\n    This pandemic has underscored our reliance on modern \ntechnology to do almost anything and everything, from running a \nsuccessful business and allowing employees to telework, to \nsocializing while maintaining social distancing. Technology has \nbeen and will continue to be critical in allowing the private \nsector and public government to respond to and recover from \nthis pandemic. The SBA is no exception.\n    As technology continues to improve, implementing innovative \ntechnological solutions to streamline manual processes or \nupgrade legacy systems are actions that any responsible Federal \nagency should consider. Once these new technologies are \ndeployed, it is imperative that the agency ensure they are \nsecure, operational, and meet mission objectives.\n    For instance, the SBA's decision to move from mail-in, \npaper-based application processes to online loan and \ncontracting applications certainly has advantages for both the \nagency and the participant. Unfortunately, it also comes with a \nhost of other challenges, for instance; vulnerability to \ncomputer bugs, data breaches, and cyber attacks.\n    As has been widely reported in the news, the technological \nsystem supporting the Paycheck Protection Program suffered from \na number of these mishaps. Reports regarding the Economic \nInjury Disaster Loan Program have not fared well. While the \nEIDL advanced program intended to provide emergency grants to \nsmall businesses within 3 days of their application being \nfiled, the SBA took nearly 6 weeks to approve less than 1 \npercent of the total application backlog.\n    Even though I appreciate the SBA's recent efforts to meet \nthe surging demand, reports show that little more than a third \nof the amount Congress authorized to support the EIDL program \nhas been approved. Adding insult to injury, a glitch in the \nEIDL portal led to nearly 8,000 EIDL applicants' personal \ninformation being compromised, including Social Security \nnumbers, birth dates, and addresses.\n    I cannot overstate just how dire the situation is for small \nbusinesses everywhere in this country, including in my own \ndistrict. They need these funds now. And if technology is the \nsolution or the problem, we need to take appropriate action \nimmediately.\n    Addressing the issues with SBA's loan programs is not the \nonly reason why I am interested in hearing from you today, Mr. \nCavallo. As the SBA continues to invest in new technologies, it \nis imperative that the agency ensures that the investment was \nworth it, that the outcome achieves the intended goals.\n    The SBA has made some questionable IT investments into its \ncontracting and business development programs, making various \nattempts to streamline application processes and enhance staff \noversight and management of these programs. Unfortunately, we \nhave seen some of these investments fail in the past. And I \nunderstand the SBA is now investing in a new technological \ninitiative called certify.sba.gov, to which over $27 million \nhas already been spent, but the system has not yet fully \nrealized its intended purpose.\n    Indeed, according to the Committee on Oversight and \nReform's December 2019 Federal Information Technology \nAcquisition Reform, or FITARA, report, the SBA received a C \ngrade for its IT portfolio management, indicating that the \nOffice of Management and Budget found the SBA demonstrated poor \nmanagement of commodity IT spending in alignment with agency \nmission and business functions. Also deeply troubling is the D \ngrade that the SBA received in the FITARA report for \ncybersecurity, indicating severe deficiencies in cybersecurity \nmeasures taken by the SBA.\n    I understand that we live in unprecedented times and the \nwheels of government often move slower than the pace of \ntechnology. However, we have to strive to do better and be \nbetter. Small businesses across the country depend on the SBA \nto get it right, and we must do all we can to ensure the \nagency's success.\n    Thank you, Madam Chairwoman. I yield back.\n    Chairwoman CHU. Thank you, Ranking Member Spano.\n    I need to explain how this hearing will proceed. Each \nwitness will have 5 minutes to provide a statement and each \ncommittee member will have 5 minutes for questions. Please \nensure that your microphone is on when you begin speaking and \nthat you return to mute when finished.\n    With that, I would like to introduce Mr. Guy Cavallo, the \nDeputy Chief Information Officer at SBA. In this capacity, Mr. \nCavallo provides leadership and direction in the creation, \ndevelopment, and execution of the agency's information \ntechnology management programs. He was previously the executive \ndirector of IT operations at Transportation Security \nAdministration. He has also had an impressive career in the \nprivate sector implementing innovative technologies in \ngovernmental organizations.\n    We welcome you to the committee, and you are now recognized \nfor 5 minutes.\n\nSTATEMENT OF MR. GUY CAVALLO, DEPUTY CHIEF INFORMATION OFFICER, \n       U.S. SMALL BUSINESS ADMINISTRATION, WASHINGTON, DC\n\n    Mr. CAVALLO. Chairwoman Chu, Ranking Member Spano, and \nmembers of the Subcommittee, Thank you for the opportunity to \ndiscuss how the Small Business Administration has modernized \nand transformed----\n    Mr. SPANO. Excuse me, sir. Could you make sure your \nmicrophone is on?\n    Mr. CAVALLO. The button is on. How is that?\n    Mr. SPANO. That is perfect.\n    Mr. CAVALLO. There we go. Thank you.\n    Again, thank you for the opportunity to talk about how SBA \nhas modernized and transformed its IT and cybersecurity \ncapabilities, which we know are critical to enhancing our \nservice delivery to citizens and small businesses.\n    In July of 2017, SBA Chief Information Officer Maria Roat \ntestified before the House Small Business Committee describing \nher vision for a 21st century SBA. Today, SBA has turned much \nof her vision into reality.\n    With the strong executive leadership and support of \nAdministrators Carranza and McMahon, SBA is now viewed as a \ntechnology leader in the Federal Government.\n    Over the past 3-1/2 years, we have implemented the \nnecessary building blocks to deliver and accelerate our IT \nmodernization. That foundation includes a reliable network \ninfrastructure and leveraging the power of the cloud. In early \n2017, I served as the executive sponsor of SBA's cloud journey. \nWithin 82 days, we built SBA's first cloud, an accomplishment \nthat may take others a year-plus to achieve. With that network \nand cloud platform in place, SBA could now leverage those \nfoundations to meet our critical role in the upcoming CARES \nAct.\n    Having SBA's cloud operational and leveraging commercial \ncloud services to support our modernization efforts were \ncritical in our overnight move to nearly 100 percent telework \nstatus for the SBA staff and for the thousands of surge workers \nwho may never work in an actual SBA office.\n    I also want to highlight that one of the most significant \nbenefits of moving to the cloud has been the tremendous \nimprovement in our cybersecurity protections. For example, \nsince April of 2018, our security team has partnered with DHS \nto take down 1,380 malicious websites that we uncovered by \nstopping phishing attempts into SBA.\n    Now, based upon our enhanced cybersecurity capabilities, we \nconducted two pilots with DHS to validate the cloud \nprotections. Our pilots on the Trusted Internet Connection and \nthe continual diagnostic and mitigation programs allowed us to \nsuccessfully demonstrate alternative ways of meeting the goals \nof those programs, and our results led DHS to modify the \nFederal security policies for those programs.\n    In addition to those cybersecurity capabilities, we \nleveraged the cloud to build new CARES Act solutions, including \na new portal for the $10,000 EIDL advances, a front end to the \nlender gateway for banks to access the E-Tran system, an \nupdated find a lender tool to display eligible lenders of the \nPPP program by ZIP Code, and a new customer service hub for \nbetter tracking all the millions of citizen requests we \nreceive.\n    All of these new solutions were implemented within 8 days \nor less. My team worked round the clock to make sure that we \nhad these in place as fast as possible.\n    We also accelerated implementing GSA's login.gov common \nidentity management solution, which allows a small business to \nuse one set of credentials when accessing any SBA system or any \nother government portals that adopted login.gov. However, I do \nwant to acknowledge that until these new systems were in place, \nseveral of the legacy systems did experience outages and slow \nresponse times from the overwhelming demand.\n    For example, the disaster loan access portal began \nsuffering outages due to the demand exceeding its capacity. \nWithin a day, we implemented a replacement interim cloud \nsolution to intake loan applications until the final \nreplacement EIDL rapid intake portal was ready. However, while \nmaking multiple system changes in the middle of the night in \nsuch a short time, a mistake was made in one of the system's \nconfiguration which accidentally exposed PII data for some \nindividuals. Within 3 hours, we discovered that exposure and \nquickly fixed the problem. And to support the potential \nexposure of those individuals that may have been exposed, we \nhave offered free credit monitoring services.\n    There is still much to do, but the positive steps taken \nover the last 3-1/2 years have positioned SBA to be able to \ncontinue modernizing our legacy systems.\n    And I want to thank you for the opportunity to speak to \nthat today, and I look forward to the Committee's questions.\n    Chairwoman CHU. Thank you, Mr. Cavallo.\n    I will begin by recognizing myself for 5 minutes for \nquestions.\n    Mr. Cavallo, it wasn't just a few persons who had their \ndata exposed; it was 8,000 individuals. There were so many \negregious things that happened in that situation where EIDL \ndata was exposed, the data of small business owners who were \ntrying to get relief from COVID-19, and it caused SBA to tell \nthe applicants to reapply, they lost their place in line, and \nthe applications were subsequently closed to anyone who wasn't \nin the agricultural industry.\n    So, Mr. Cavallo, how did this breach happen, and what \nspecific steps did SBA take to fix the issue that caused the \ndata breach? Also, the breach occurred on March 25. Why did it \ntake until April 13 for SBA to notify these small businesses \nwho may have been affected?\n    Mr. CAVALLO. I want to thank you for asking that question. \nFirst of all, I want to clarify that we did not suffer a data \nbreach; we suffered a data exposure. The big difference is that \nthere was no data break-in, any download of data. They are both \nserious, but a potential data exposure is quite different, and \nas I said, we were not breached.\n    I can tell you how it happened. My staff was working around \nthe clock, pulling all-nighters, trying to get the new loan \nportal set up as fast as possible. A human error was made at 6 \na.m., which caused the potential for that exposure to occur, \nand within 3 hours, we implemented taking the portal down and \nlimiting the exposure.\n    But we followed our standard procedures for dealing with a \nPII exposure, which means we reported it immediately to US-Cert \nwithin an hour. We convened our executive response team on \nMarch 29. That team decided to make sure that everybody that \nwas potentially a user during those 3 hours would receive \ncredit monitoring services.\n    And then, ma'am, we don't have in place a contract to pay \nfor credit monitoring services, so we had to go to GSA to \ncompete the credit monitoring services, which we did on March \n29 and 30. Once that was awarded, we brought the vendor on \nboard. They reviewed the logs and found that there were some \nlogs that we didn't have valid addresses and information, and \nthen they were able to issue the letter on April 13 to those \nindividuals offering credit monitoring and free call center to \nuse toll free and provide support.\n    I would have liked that to be faster, but that was how long \nit took to get there.\n    Chairwoman CHU. Well, what it shows is that there clearly \nneeds to be improvement in SBA's IT. And I noted that there \nhave been GAO reports since 2011 expressing concern about this. \nAnd then GAO did another report in 2014, which said that SBA \nwas not prepared for large volumes of applications that could \ncome in after a disaster.\n    Now, I acknowledge that SBA has made some improvements to \nits technology system in the IT scorecard, but in the most \nrecent scorecard, the SBA received a D on cybersecurity, which \nwas its lowest mark in any category. So what has been the \nholdup to improvements in this area, and what specific steps \nhas SBA taken to improve particularly on cybersecurity?\n    Mr. CAVALLO. Yes. One thing I do want to point out that \nwe--the way the cybersecurity score is calculated, there are \ntwo different criteria. One is an assessment from our Inspector \nGeneral, and our Inspector General uses the OMB maturity model \nthat measures eight different domains. To receive a higher \nscore in that, you must have no KPMG findings in the domain. It \nis one of the toughest scores to be able to obtain. My \nunderstanding is only one Federal agency has been able to \nachieve the top score.\n    The other component of that is how you are performing on \nyour cross-agency CAP Goals. In the last 2 years, we have moved \nfrom a 30 percent CAP goal implementation to 80 percent \nimplemented.\n    So, ma'am, we are taking it very seriously, and we are \nworking hard to get that score up. We think the combination of \nthose scores do not accurately reflect where we are today; \notherwise, DHS would not have selected us to pilot two critical \ncybersecurity pilots with them that have changed Federal \npolicy. And, in fact, they have asked us now to help them \nimplement the CDM Program in a new cloud-based solution.\n    So, we realize how the scores were obtained. We have taken \nmany steps to improve our cybersecurity. I highlighted the \nnumber of websites we are taking down. We have full visibility \nof all attempts to get into SBA. We also--with the PPP and EIDL \nloans, implemented geofencing so that a foreign adversary \napplying from a foreign country could not even get to the loan \nsystem.\n    So, we are radically different from where we were in 2012 \nor 2014. Still work to be done, but we would like to see that \nscore increase. I mean, over the last 3 years, we have gone \nfrom a D-minus to a B-plus, and right now, we have the third \nhighest FITARA score in government.\n    Chairwoman CHU. Thank you. My time has now expired.\n    The Ranking Member, Mr. Spano from Florida, is now \nrecognized for 5 minutes.\n    Mr. SPANO. Thank you, Madam Chairwoman.\n    Mr. Cavallo, I assume that the SBA must have anticipated \nthat a wave of applications were going to be incoming through \nthe E-Tran system once the PPP and EIDL launched. However, we \nall know there were concerns about that early on, portal \ncrashing, other technical difficulties that occurred right \nthere at the start.\n    Were any actions taken or undertaken or any efforts made to \nprepare for what, it would seem to me, would have been an \nanticipated load on the E-Tran system?\n    Mr. CAVALLO. Yes. Thank you. Thank you for that question. \nYeah, the E-Tran system is not managed by the Office of the \nChief Information Officer. We partner with our business offices \nto do that. It is definitely on our list of systems that need \nto be modernized, and we are following the CIO Council's \nApplication Rationalization Playbook to determine how to \nmodernize. That is going to be a long-term project, sir, and \nthat is something that we could not do between March 1 and when \nthis all hit.\n    The steps that my office specifically took was that we \ndoubled the network connectivity speed because we knew there \nwas this influx of people coming. That took a week or two to \nhappen, but we were able to get ahead of the surge exceeding \nthe demand. We also built that front-end lender gateway as a \ncloud-based application to basically take the load off on some \nof the front of E-Tran to allow our small banks to apply \neasier. And then we worked with our partner at the Office of \nCapital Access to spread out their workday. So instead of \ngetting hit with all the applications coming in at 9 a.m. from \ncertain banks, they spread out the schedule to be able to take \napplications throughout the day.\n    Those are all things that we could do now to lessen the \ndemand on E-Tran. The last thing we did is we approved a \nsignificant hardware investment to up the horsepower of the E-\nTran system, but it is going to take time to modernize that \nsystem. It is a very complex financial system.\n    So those were the things we could take to support it. \nDefinitely there were issues and there was trouble along the \nway, but each of these steps helped lessen the impact or reduce \nthem from happening in the future.\n    Mr. SPANO. Does the continued challenges apparently that \nyou still have with the E-Tran system, are those impacting the \npace, the slow pace at which the EIDL loans are being \nprocessed?\n    Mr. CAVALLO. I don't think I can answer that. It is more of \na program office answer on how they are handling the \nprocessing. As I said, the system is up and running, that is--\n--\n    Mr. SPANO. I guess my question is, you mentioned that \nproblems with PPP and the EIDL were a function of or based on \nthe fact that the E-Tran was not built to sustain that level of \ndemand. What I am asking you is, is the EIDL demand still such \nthat E-Tran cannot handle the load?\n    Mr. CAVALLO. From everything I have seen, we seem to be \nhandling the load now.\n    Mr. SPANO. Okay. So that is not--E-Tran is not the reason \nfor apparently the slowdown, the slow process of EIDL, as far \nas you are concerned?\n    Mr. CAVALLO. Yes. From the technology side, I am seeing \nthat it is up and that the connectivity is there.\n    Mr. SPANO. Gotcha.\n    So the SBA received an additional $2.1 billion for SBA \nsalaries and expenses intended to help the agency staff up in \norder to meet the need generated by the pandemic. Can you tell \nus how this money has been spent so far?\n    Mr. CAVALLO. I can address how we have spent it in the OCIO \noffice.\n    Mr. SPANO. With respect to your area.\n    Mr. CAVALLO. Yes. With us increasing the size of SBA by \nabout 500 percent, I knew immediately that our IT help desk, \nour network operations center, monitoring and making sure that \nour networks are working fine, and our security operations \ncenter providing cybersecurity, those were all designed for \n3,000 to 4,000 users, not well over 12,000. So, we have used \nthe funds to help supplement that, and my staff working in \nthose areas, to make sure that the connectivity is there, that \nthe cybersecurity protections are there, that we are not being \noverwhelmed by it. It has been a slow process to ramp that up. \nWe are using both temporary Federal employees and contractors \nto do that.\n    So, in our office, yes, we are all well on the way of \nstaffing up to deal with this increase of size.\n    Mr. SPANO. Okay. I only have 20 seconds left. But you talk \nabout in your testimony that--you discuss in your testimony \nusing webcasts to connect with small businesses that save \nthousands of dollars over the SBA's previous teleconferencing \nsolution.\n    My question is, are there any other uses of existing \ntechnology in your arsenal that can be deployed to find other \ncost-savings benefits?\n    Mr. CAVALLO. One of the things we did is we stood up a \nvirtual command center, which saved us the cost of setting up a \ncommand center for our senior leadership to get together. \nDefinitely the web conferencing, we can host 10,000 businesses \nat once now at no extra cost, when before, that would have cost \nus thousands of dollars. Leveraging the cloud is keeping us \nfrom buying more hardware. So that has also been a significant \nimpact.\n    Mr. SPANO. Thank you.\n    I yield back, Chair.\n    Chairwoman CHU. Thank you. The gentleman's time has \nexpired. The gentleman yields back.\n    And now, the gentleman from Pennsylvania, Mr. Evans, is now \nrecognized for 5 minutes.\n    Mr. EVANS. Thank you, Madam Chairperson and Ranking Member.\n    The IRS announced yesterday that they are establishing a \nnew office to spearhead the efforts to modernize the management \nof taxpayer cases. The new office will be responsible for \nupdating its outdated IT systems and making several of its \nprocessing paper documents digital.\n    Would the SBA consider a similar strategy to bring the IT \nsystem, infrastructure, and management documents into the 21st \ncentury? And would the office of the CIO be well suited to \nimplement the strategy?\n    Mr. CAVALLO. Thank you for that question. As an agency, we \nhave adopted the Federal CIO Council's Application \nRationalization Playbook. To put that in non-CIO terms, you \nbasically have a methodology to look at each information system \nand decide are you going to modernize it where it is, are you \ngoing to move it to the cloud, do you need to rewrite it, or do \nyou need to shut the system down. So, we are going through our \nmajor applications looking at that first before we start \nspending money just heading down a modernization path without \nhaving a clear direction.\n    What IRS has done is what I see a lot of the other Federal \nagencies doing, and we have been doing that from day one. Over \nthe last 3-1/2 years, we have modernized major parts of SBA. \nThe financial systems are by far the biggest and most complex \nones, so we are taking that on next. But we will work closely \nwith the CFO and Capital Access and ODA on heading down that \nmodernization path.\n    I think until we do that analysis, we won't be able to \nprovide our CFO, our Administrator what the cost would be to do \nthis so that they can come, present that to you, but we are \ndoing that homework now.\n    Mr. EVANS. How could Congress support the SBA in \nestablishing a new office to spearhead IT becoming modern and \ndigital across the entire agency?\n    Mr. CAVALLO. Again, we appreciate all offers of help. \nToday, we have a Chief Technology Office that leads our \nmodernization efforts. I am not sure that we would ask for \nanything additional to that. As I said, we have the methodology \nin place that we intend to use to make the decisions about \nmodernizing systems, and then through our budget process and \nthrough the Administrator, we will come back to Congress and \nmake those requests for funds when we are ready.\n    Mr. EVANS. In mid-April, the SBA announced that on March \n25, it discovered that the application system for the EIDL may \nhave disregarded personal information to other applicants of \nthe program. What personal information was divulged?\n    Mr. CAVALLO. Let me check for that, sir. I don't want to \ngive you a wrong answer.\n    Looks like I don't have that information with me. There was \na formal report that we filed with US-Cert, so I can supply \nthat information with you as a follow-up.\n    Mr. EVANS. Okay. No problem.\n    Since I am talking about it, for EIDL application status, \nthe only updates provided are processing and then accepted or \nrejected. This has caused severe stress for small business \nowners in my district who have great difficulty checking the \nstatus of the application. Is the SBA working on improving the \nstatus checking on these loan applications? And let me give you \na followup real quick. What is the timeline for improving loan \napplication status checking?\n    Mr. CAVALLO. The Office of the Chief Information Officer \ndoes the enterprise networking and connectivity and \ninfrastructure. What you are asking about is a program office \ndecision that is run by the Office of Disaster Assistance.\n    Mr. EVANS. Right.\n    Mr. CAVALLO. So, I can't answer that for them.\n    Mr. EVANS. Okay. Real quick, I think I----\n    I yield back to the Chair my remaining time.\n    Chairwoman CHU. Thank you. The gentleman yields back.\n    And now, the gentleman from Tennessee, Mr. Burchett, is now \nrecognized for 5 minutes.\n    Mr. BURCHETT. Thank you, Chairlady, Ranking Member.\n    Eighty-six percent of the PPP loans in Tennessee in the \nSecond District where I represent are under $150,000. Do you \nknow how many of those are nationwide and the amount, total \namount that would be?\n    Mr. CAVALLO. No, sir. That is not something that I would \nhave in the Chief Information Office.\n    Mr. BURCHETT. How would I go about getting that?\n    Mr. CAVALLO. We can provide that from our business offices \nthat would have that up to date daily.\n    Mr. BURCHETT. Great. If you all could send that to me, that \nwould be great.\n    And I have been hearing some complaints the E-Tran system \nis too complicated, especially for those who are new to SBA \nlending. What can the SBA do to make its public-facing \ntechnology systems more user friendly?\n    Mr. CAVALLO. Again, a very good question. It is something \nthat my team is dedicated to do. A lot of the new programs that \nI highlighted that we implemented, especially for the CARES \nAct, are much easier to use than the legacy systems. And \nwhenever we can, for something like E-Tran that we can't \nmodernize overnight, what we are trying to do is put a new \nfront end in front of it so that the small business owner or \nthe citizen is able to more easily interact with the system. We \nwere able to do that successfully for a number of these \nprograms.\n    Mr. BURCHETT. Right.\n    Mr. CAVALLO. Overall, it is a major initiative to improve \nthe customer experience for any SBA user. I mentioned earlier \nthat we have moved to login.gov, which is a common way that GSA \nprovides the Federal agencies, where before, if you logged in \nto separate SBA systems, you might have to fill out your \ncompany's information over and over again. Again, we are taking \nsteps to eliminate that and use more of these common platforms, \nso you have one identity.\n    Mr. BURCHETT. Okay. Do you feel that the SBA has the \ncapacity to manage all these new lenders moving forward?\n    Mr. CAVALLO. Again, from the CIO's office, we have been \nable to absorb the 500 percent increase in staff and support \nthe systems. The program offices that actually work with those \nlenders, they would be better able to answer that question, \nsir.\n    Mr. BURCHETT. Okay. All righty. Thank you very much.\n    Chairwoman CHU. Okay. At this point, the gentleman yields \nback.\n    And at this point, all the members present have asked a \nquestion. So we actually have time for a second round of \nquestions, so please be present if you would like to go a \nsecond round. I will start by recognizing myself for 5 minutes.\n    Mr. Cavallo, when we arranged this committee hearing, we \ndiscovered that your Office of the Chief Information Office \nonly oversees 37 percent of SBA's IT program. And this raises \nseveral new concerns, including why SBA would take such a \ndisjointed approach to IT and cybersecurity, and why it did not \nentrust its chief information officer with managing IT for the \nPPP and EIDL, and to what extent the deputy CIO was brought in \nto help when PPP and EIDL both encountered significant \ntechnology system failures.\n    So why is the SBA's IT staff decentralized? Who controls \nthe remaining 63 percent, and how has it helped or hindered \nSBA's ability to respond to the coronavirus pandemic?\n    Mr. CAVALLO. Thank you for that question, ma'am. You know, \nSBA has long had a history of being decentralized, and one \nthing in a decentralized world is that you get some of the IT \nstaff closer to the program operations than staying in a \ncentral location. What we have done is partner with those \noffices. Most of those staff members are in the Office of \nDisaster Assistance and the other program offices. We partnered \nwith them throughout this process.\n    Going back to your question, how involved were we in all of \nthis, we were very involved. None of the program offices went \noff and worked on their own on this. We put teams together and, \nlike I said, sometimes pulling all-nighters to get these new \nprograms in place so that lenders could apply.\n    There are different models for IT. Like I said, right now \nat SBA, we are more decentralized, so what we have done over \nthe years is make sure that we have a strong partnership with \nthose offices. The CIO Office does have FITARA approval of \nevery IT procurement of $50,000 or more. So, if an office tried \nto do something without having us involved, there is a hard \nstop that they can't proceed without the CIO.\n    So, we have worked very well together. We spend time at \neach other's conferences and work together as a team. So right \nnow, the model is working for us.\n    Chairwoman CHU. But would there be greater improvement if \nthis operation was centralized?\n    Mr. CAVALLO. That is a great political science debate over \ntime. We can find as many people arguing that centralizing \neverything is better than decentralizing, and we can find just \nas many people arguing with that.\n    I think, Madam Chairwoman, the important part is that we \npartner together. If we ran independently, I would absolutely \ngive you a different story. But we work so well together that \nit doesn't matter who we report to, that we are all pulling \ntogether in the same path of making sure that we have these \nsystems up and operational as much as possible. So, I really \ncan't give you a better answer than that.\n    Chairwoman CHU. Well, were you aware of the deficiencies \nwith the portals used to implement the Paycheck Protection \nProgram prior to its launch, and did the Office of Capital \nAccess request assistance?\n    Mr. CAVALLO. As far as deficiencies, I am not sure which \npart you are talking about. As far as just the recommendation \nthat they be expanded, yes, we were working with them on those \nexpansions before that point. Just in the last year, we have \nadded our cybersecurity coverage across their systems, which \npreviously were done independently. So, yeah, we have worked \nwell together, and they have asked for our help and we have \njumped in and helped them throughout this process. For example, \nputting a front end to E-Tran was something we did together. We \ndid not force that on them. They recognized that we had the \nexpertise in our office to do the new cloud-based systems. They \nhad the expertise in E-Tran. And we used both teams together to \nget that new front end put in as quickly as possible.\n    Chairwoman CHU. And I know you have--the CIO has an annual \nbudget of $28 million. What percentage of this is towards \nimproving cybersecurity?\n    Mr. CAVALLO. Off the top of my head, I would say that--\nagain, our move to the cloud was our biggest eye opener on \ncloud cybersecurity capabilities, so we got a benefit from that \nright away. We are probably spending $13 million of that on \ncyber, and everything that we are doing is based on cyber.\n    One thing that my development teams do is we have security \nbuilt into it so that it is not an afterthought. So, I can't \ngive you a number for all of that because they are part of the \nteam, but we take our cyber very seriously. And, in fact, as I \nmentioned earlier, DHS relies on us as being one of their prime \nagencies that they go to on how best to do cyber.\n    Chairwoman CHU. Okay. My time has expired.\n    Now, I would like to recognize the Ranking Member from \nFlorida, Mr. Spano, for 5 minutes.\n    Mr. SPANO. Thank you, Madam Chairwoman.\n    Mr. Cavallo, you referenced a couple of times now putting a \nfront end onto the system. Can you explain to those of us who \nare computer illiterates what that means?\n    Mr. CAVALLO. Yes. It is great to have IT talk. You can \nhave, even back to the old green screen days, a very difficult \nand complex screen to fill out that the data goes into in an \nold legacy system, or we can put a new web page that has \ndropdowns and colors and you can see exactly where you are, and \nthe data still goes into the legacy system. So that is----\n    Mr. SPANO. It is the way that the user interfaces with the \nsystem, more user-friendly essentially.\n    Mr. CAVALLO. Yeah. We have simplified the user interface, \nmade it easier for them to access the system than the old----\n    Mr. SPANO. But you can't conduct substantive kind of \nfundamental changes to the system with these front-end patches, \nI guess?\n    Mr. CAVALLO. No. That is where you need to do the full \nmodernization and look at the right path.\n    Mr. SPANO. Got it. Okay.\n    It is our understanding that the SBA has spent \napproximately $27 million on its new certify.sba.gov system. Do \nyou have an updated figure on that?\n    Mr. CAVALLO. Yes, I do. If I brought it with me.\n    I will say we are in the process of re-platforming Certify. \nLast year, the CIO and the CFO stopped the current development, \nwhich was the number that you are referencing. It was custom \ncoded, so it meant that everything had to be written from \nscratch, and the decision was made that that was not a path to \ncontinue down. And what we have done since November, we have \nspent $3.5 million to rewrite the WOSB Program and HUBZone \nProgram as the first two out on software as a service, which \nsimply means instead of writing every line of code to be a \ndatabase or to be that screen, we leverage the power of \npreexisting software.\n    So, we just launched the new WOSB version last week, using \nthat software as a service. It is a platform that we are using \nacross SBA to do our citizen reporting. The ODA team is using \nit for their disaster portal.\n    So instead of being a standalone, custom-built application, \nwe are moving Certify to a common platform that will give us a \n360-degree view of all of our interactions with customers. So, \nwe are in the middle of that rewrite.\n    Mr. SPANO. Okay. Prior to the Certify system, there was \nanother system that kind of went south, from what I have heard.\n    Mr. CAVALLO. Yeah.\n    Mr. SPANO. And now, it seems like this one, we were using \nit for a while, and now we are doing main wholesale changes to \nit, it seems, based on your explanation there. Is that usual to \nhave changes and move to different programs and for them not to \nbe effective and just to move from one to the next? Help me \nunderstand because, you know, I am not a techie, but it just \nseems like that is very inefficient.\n    Mr. CAVALLO. That is a great question. It is all a factor \nof time. Today, my opinion is if you can have a vendor supply \nthe platform so that they are responsible for doing updates, \nthey are doing the code things, like with Office 365, Microsoft \nis updating Word and Outlook and all of those programs, and \nthen you just write your code on top of that, then you have the \npower of a major vendor providing your cybersecurity, making \nsure everything is patched, that any potential breaches or \nattacks from foreign adversaries are covered. Moving away from \ncustom code to that is absolutely something I would do a \nhundred times out of a hundred times.\n    Mr. SPANO. But that is not what we are operating under \ncurrently. We are doing it in-house?\n    Mr. CAVALLO. Yeah. The new Certify program that we just \nlaunched last week----\n    Mr. SPANO. Okay. It is moving?\n    Mr. CAVALLO. That is on this new platform.\n    Mr. SPANO. I see.\n    Mr. CAVALLO. Like I said, we have WOSB as the first one out \nof the gate, HUBZone will be next. But, yeah, the rest of the \nprogram has a long legacy.\n    Mr. SPANO. Okay. So let me get your assurances, as much as \nyou can give it to me sitting here, based on the fact that we \nhave kind of failed here a couple of times now at this. Do you \nfeel confident that this new way forward is actually going to \nwork like we intend it to work? It is going to be an \nappropriate, responsible investment for the American taxpayer?\n    Mr. CAVALLO. Like I said, from a technology standpoint, \ngetting out of custom code, whether you put it in the cloud or \nwhether you kept it on premise, absolutely is the right \ndirection to go today. You know, the legacy systems that are \nall custom code are what is keeping agencies up at night. So, I \nthink we have made the right choice and we are headed in the \nright direction.\n    The Office of Disaster Assistance has 2,500 users already \nin the new system, so I think what we are seeing differently, \ninstead of being its own standalone system run by just the GCBD \noffice, we are seeing more buy-in to a platform across the SBA \noffices, which helps us break out of silos of dataware. If you \nasked our offices can you give me data for my district, we \nactually have to go to different systems to give you that data. \nWhere we are headed to is that will all be very simple common, \nso that one office knows what your citizen did versus another \nvisiting another office.\n    Mr. SPANO. I see. Thank you.\n    Madam Chair, I yield back.\n    Chairwoman CHU. Okay. The gentleman's time has expired.\n    And now, the gentleman from Pennsylvania, Mr. Evans, is \nrecognized for 5 minutes.\n    Mr. EVANS. Thank you, Madam Chair.\n    My understanding, this is the first year that the SBA has \nhad the ability to transfer funds to its working capital to \nupgrade IT equipment?\n    Mr. CAVALLO. Yes.\n    Mr. EVANS. Okay. What are the priorities moving forward \nthen?\n    Mr. CAVALLO. Yes, thank you for asking that. Yes, last \nyear, was the first year that SBA was able to implement a \nworking capital fund. So, we have had less than a year of \nhaving that fund available. And at the end of last fiscal year, \nwe were able to seed that with $6 million.\n    We have set up a governance model at SBA where the CIO and \nthe CFO manage that working capital fund. The offices may \npropose----\n    Mr. EVANS. While you are at it then, can you tell me, in \naddition, what has SBA done with the $6 million then?\n    Mr. CAVALLO. Yes. We have made priorities to--most of it is \ngoing towards modernizing systems. Part of it went to modify \nthe Certify system. We have also put part of it into updating \nand modernizing the EDMIS system. So, there are about four or \nfive different areas.\n    Sir, we did not use it to buy any hardware. Everything that \nwas put into that fund we have dedicated to modernizing new \nsystems.\n    I don't know how the end of the fiscal year will end up, if \nwe get to supplement that with another influx of money, but \nright now, that is 2-year money. So. the programs that we \nstarted this year, if they need to go past the fiscal year, we \nwere counting spending some of that $6 million to keep them \ngoing until they are finished, like the EDMIS program. But, as \nI said, this was the first year of the agency having that fund.\n    Mr. EVANS. My understanding when the paycheck protection \nportal was launched, the E-Transfer system where lenders \nsubmitted borrower applications went offline for as long as 4 \nhours. On April 27, upon reopening, the PP portal crashed \nagain. I heard from many lenders, you can imagine, in my home \ncity of Philadelphia about the frustration in using this \nsystem, which caused them much stress.\n    How did the office of the CIO work with the Office of \nCapital Access to recidivise the issues and relaunch the \nsystem?\n    Mr. CAVALLO. Sure, yeah. What I mentioned earlier is that \none thing that we saw was that the amount of users hitting the \ntraffic from outside was growing tremendously, so we increased \nthe bandwidth connectivity to it so that that would not be a \nlimiting factor. And we put in a new front end to make it \neasier to access the system, like the Lender Gateway. There \nwere hiccups along the way because you have a very legacy \nsystem and you have a brand-new system. I believe we figured it \nout through this time, and it should be much easier and better \nnow. But there definitely were hiccups in the early days with \nthe tremendous volume that we were facing.\n    Mr. EVANS. So how successful do you think you have been, if \nyou had to kind of rate it in terms as a result of you \nrevisiting it?\n    Mr. CAVALLO. I think for an agency the size of SBA to \nrespond to all that we have responded to, that I can't commend \nhigher my staff and the other program offices' staffs for \nstepping in. We know that--we have talked about it throughout \nthis meeting--in the early days, the first week or two or \nthree, there were significant problems, but everybody jumped \ninto it. So I would give us a pretty high rating today.\n    Mr. EVANS. Okay. I thank you.\n    Thank you, Madam Chair. And I yield back the balance of my \ntime.\n    Chairwoman CHU. Well, thank you.\n    [Inaudible] now all of the members have asked their \nquestions, so I would now like to close.\n    And I thank you, Mr. Cavallo, for your testimony today on \nSBA's technology systems, IT modernization efforts, and help \naddressing its cybersecurity issues.\n    While I understand that the demands on these technology \nsystems is unprecedented, several of these issues were \npreventable. SBA needs to have an IT infrastructure in place \nmoving forward that can scale and respond to the high volume of \napplicants in need of support during COVID-19.\n    Several of the technical issues that arose affected the \nability of small businesses to access loans, and the \ncomplicated and difficult process of applying placed another \nunnecessary burden on small businesses that were already \nstruggling to stay open.\n    The Committee looks forward to working with you in the \ncoming months to address these technical issues and make sure \nthey are working effectively so SBA can implement its programs \neffectively and meet the needs of millions of small businesses \nthat are relying on you to help them stay afloat.\n    I ask unanimous consent that members have 5 legislative \ndays to submit statements and supporting materials for the \nrecord.\n    Without objection, so ordered.\n    And if there is no further business before the committee, \nwe are adjourned.\n    [Whereupon, at 1:58 p.m., the Subcommittee was adjourned.]\n    \n                            A P P E N D I X\n\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n\n                                 [all]\n</pre></body></html>\n"