Charles McClam | The changing ways of SBA
Interview with Charles McClam, acting CIO of the Small Business Administration
- By Rob Thormeyer
- Jan 31, 2006
2005 was not an easy year at the Small Business Administration. Aside from facing criticism for what lawmakers considered a bureaucratic response to the Gulf Coast hurricanes, the agency's inspector general questioned its commitment to IT security. None of this has fazed acting CIO Charles McClam, who said watching smoke bill w out of the Pentagon on Sept. 11, 2001, from his office while he was at the IRS helps him keep perspective.
McClam, who started his current job in September, detailed steps SBA is taking to improve its IT security and the wholesale changes that are coming to its Loan Accounting System.GCN: The inspector general was critical of SBA's IT security. Do you agree with the findings and what is your response to the October report?
McClam: Overall, I agree with the OIG report. There are a lot of activities that we're working on to bring about a resolution. We're involved with the OIG, we're engaged with the program officers where some of this responsibility lies. Ultimately, we have to work collaboratively to bring about resolution to the issues identified.
There are plans, actions and milestones. We work with program officers to identify any issues and threats or vulnerabilities to our systems, and we track actions to remediate and resolve those issues. We have bimonthly meetings with the OIG to work on issues that surfaced in the reviews, and I've found, over the past six months or so that I've been here, that those meetings have been very helpful and useful to me.
We're engaged from a 360-degree perspective. When I came here we had about 13 IG findings [that needed to be improved]. Right now we have completely cleared two of them. We've taken very focused action to begin to resolve eight of them, and the other two or three that remain, we're actively working on with the program offices.GCN: Can you provide more specifics on what you've done to address IT security?
McClam: Overall, there was a significant weakness in terms of how we prioritize our IT security issues. We have the plan of action, and milestones in place, and we've been using it for quite some time. Through our various meetings that we've had with the OIG over the past six months, we've highlighted those issues and put them in a particular arrangement, with a color code, so we know the importance of certain items, and we put our resources against that to move it off the table as a potential weakness.
So we were able to successfully get a green [score from the IG] in that, because it now ensures that significant security weaknesses are being addressed in a timely manner and the appropriate resources are put against those weaknesses.
The second area we have an overall green in is our ability to maintain security and evaluate various issues that affect the integrity of the security of our environment.
SBA has assessed risks to operations and assets under its control and we're maintaining security plans and performing security testing and evaluations through various policies and procedures to ensure our infrastructure is not being threatened or cannot be penetrated by outside folks who want to do damage to our infrastructure.GCN: What in particular alarmed you about the state of IT security when you took your current position in September?
McClam: A lot of the systems deal with processes that are somewhat old and haven't been relooked at to ensure that they are continuing to be leveraged to operate in the most efficient way possible. When I look at some of the processes that are being implemented through automation, I can readily see opportunities for improvement.
Nothing surprised me here. It's just the fact that some of the technology, as budget authority becomes available, needs to be updated so we can leverage the various automated processes to get the best bang for the buck. You can try and try and try, but it doesn't happen with very aged technology.GCN: How big of a role did your office plan in dealing with Katrina aftermath?
McClam: When [the Disaster Credit Management System] processes a loan application, it eventually makes its way up to [the Loan Accounting System] for processing loan approval and disbursement. We maintained that particular system and kept it operational 24 hours a day, 7 days a week.
DCMS is managed by the Office of Disaster Assistance. That particular system is the vehicle through which the loans come in; that's the input. They move on to the Loan Accounting System, which is the one mainstay, core system that processes loans for disbursement.
We also have in place a PC buy contract in which ODA has purchased roughly $3.5 million of IT equipment, including desktops, servers, laptops, switches and routers. These help support Katrina operations in the Gulf Coast area. We've also set up 800-numbers to help ODA employees in the area and other field offices to communicate.GCN: How has the LAS held up against the deluge of loan applications?
McClam: Our system stayed up 24 hours a day, seven days a week. And we've got folks working to support our system 24/7. When a loan application is taken in via DCMS, that application is processed forward through our telecom network and gets put into LAS. There are various routines and applications that are running in that environment that allow for a particular application to be scored, approved or disapproved. If it's approved, operations take place internal to that system for disbursement of checks.GCN: What's coming up around the corner?
McClam: We're in the process of taking some actions to modernize the LAS. LAS is one of the core systems we use to support our mission and it's been around for 30-some-odd years. The technology is somewhat dated; we're looking to modernize that in the next few years.GCN: Do you foresee a wholesale revision of LAS?
McClam: It will be done in a modular way, it's not like attacking the entire elephant. We're taking small bites and making sure they deliver functionality and support the overall mission. We'll eventually migrate from the older system to a new one.
We have an executive steering committee that's being headed by the CIO, chief financial officer, Office of Disaster Assistance, Office of Procurement and Grants. There's a whole organizational engagement, making sure this core capability, this design, is right the first time.GCN: When you will be finished?
McClam: Right now we're looking at probably a 3 1/2-year window to accomplish this. We're in the throes of developing a statement of work. This will certainly be a major undertaking for the organization, and it will be contracted out.