The SBA IT Modernization Reporting Act directs the Small Business Administration’s Administrator, acting through the agency Chief Information Officer, to implement the recommendations contained in GAO report GAO–25–106963 ("IT MODERNIZATION: SBA Urgently Needs to Address Risks on Newly Deployed System"). It requires the SBA to produce and submit an implementation plan within 180 days that establishes policies and procedures governing the agency’s IT modernization projects and to brief congressional small business committees shortly after submission.
This is a targeted compliance bill: it prescribes 11 specific planning and risk-management elements (from explicit source-of-risk statements to traceability analyses and involvement of security subject-matter experts) and cites two GAO best-practice guides for schedule and cost estimating. The measure tightens congressional visibility over SBA IT projects and forces the agency to codify practices that intersect with procurement, cybersecurity, and program management.
At a Glance
What It Does
The bill requires the SBA to implement GAO’s recommendations from a specified 2024 report and to submit, within 180 days, an implementation plan that imposes standardized risk-management, scheduling, cost‑estimating, and security requirements on all IT modernization projects.
Who It Affects
Directly affects the SBA Chief Information Officer, SBA program and project managers, prime contractors and subcontractors on SBA IT work, and the congressional committees that oversee the agency. It also touches cybersecurity teams, acquisition offices, and federal auditors who monitor compliance.
Why It Matters
By converting GAO recommendations into statutory duties and referencing GAO’s schedule and cost guides, the bill creates a de facto federal baseline for how SBA must plan, track, and justify IT projects—raising the bar for accountability but also adding procedural requirements that will shape procurement and project timelines.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Act makes one principal command: the SBA must adopt the fixes that GAO identified in its November 6, 2024 report criticizing a recently deployed SBA system. The Administrator must act through the agency’s CIO to put those fixes into practice; Congress does not leave the specifics to informal guidance.
That elevates what were GAO recommendations into binding, agency-level implementation obligations.
The heart of the bill is the required implementation plan, due in 180 days. The plan must translate eleven enumerated requirements into policies and procedures the agency will apply to each IT modernization project.
Those items range from documenting the origination of each identified risk and defining risk parameters, to developing project risk-management plans and tying mitigation measures directly to those plans. The bill also forces SBA to require traceability analyses, include security subject-matter experts in contractor selection, and ensure acquisition and strategic plans explicitly address cyber risks.Two GAO publications are named as the templates for technical work: the GAO Schedule Assessment Guide (GAO–16–89G) for master scheduling, and the GAO Cost Estimating and Assessment Guide (GAO–20–195G) for cost estimates.
Practically, the SBA must either adopt those methodologies or explain how its alternative approaches meet the same standards in the implementation plan. The bill requires the plan to identify the SBA office responsible for carrying each action and to attach timelines for finishing them.Finally, the Act builds a short loop of congressional oversight: after the plan is submitted, the Administrator must brief the House Committee on Small Business and the Senate Committee on Small Business and Entrepreneurship within 30 days.
The law prescribes what must appear in the plan and where it goes; it does not appropriate funds or change broader procurement statutes, but it does create enforceable expectations for how SBA will run modernization efforts going forward.
The Five Things You Need to Know
The bill directs the SBA to implement GAO report GAO–25–106963 (published Nov. 6, 2024) and make the agency’s response operational.
SBA must submit an implementation plan to the House and Senate small-business committees within 180 days of enactment and name responsible offices and completion timelines.
The plan must require a documented traceability analysis and that each identified risk’s source be explicitly stated in project risk documentation.
Security subject-matter experts must participate in contractor selection for projects, and acquisition/strategic plans must include information needed to manage cyber risks.
Master schedules and cost estimates for projects must be developed using GAO’s Schedule Assessment Guide (GAO–16–89G) and Cost Estimating and Assessment Guide (GAO–20–195G), respectively.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Provides the bill’s citation: the "SBA IT Modernization Reporting Act." This is purely nominal but signals Congress’s intent to make IT modernization and reporting a discrete statutory object for SBA oversight.
Implement GAO recommendations
Requires the Administrator, acting through the CIO, to take actions necessary to implement the recommendations in GAO–25–106963. Operationally, that converts a GAO audit into a mandatory corrective directive and places responsibility squarely with the CIO, rather than leaving implementation to ad hoc program-level fixes.
Implementation plan content and project requirements
Mandates a detailed implementation plan due within 180 days that establishes policies and procedures governing SBA IT modernization projects. The bill lists 11 discrete requirements the plan must incorporate for each project—examples include explicitly documenting risk sources, defining risk parameters, performing traceability analyses, integrating cyber-risk information into acquisition plans, involving security SMEs in contractor selection, and applying GAO‑standard guidance to create master schedules and cost estimates. Each listed element is a procedural obligation the agency must translate into internal controls, templates, and review gates.
Accountability and timelines in the plan
Requires the implementation plan to identify the SBA office responsible for each action and provide completion timelines. This turns the plan into more than a menu of best practices: it must assign accountability and a schedule for adoption, which will allow Congress and auditors to test whether the agency delivered the promised changes.
Congressional briefing requirement
Directs the Administrator to brief the House and Senate small-business committees within 30 days after submitting the implementation plan. The briefing requirement creates an early oversight checkpoint and gives committees an opportunity to press for clarifications or additional commitments; it does not, however, prescribe follow-up enforcement mechanisms or funding.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small businesses that rely on SBA systems — More robust risk management and better-tested schedules/cost estimates should reduce outages, errors, and delays in services such as loans and disaster relief. Better-managed systems can mean faster, more reliable access to SBA programs.
- Congressional oversight committees — Committees gain an explicit, time-bound deliverable (the plan) and a required briefing, improving their ability to monitor SBA IT remediation and hold the agency to a stated timeline.
- SBA cybersecurity and IT governance teams — The statute gives CIOs and security teams statutory backing to impose stricter selection criteria, require traceability and SME involvement, and standardize risk practices across projects, strengthening their leverage in procurement and program decisions.
Who Bears the Cost
- Small Business Administration — The agency must devote staff time and possibly reallocate program and acquisition resources to produce policies, perform traceability analyses, and restructure project management processes; no new funding is provided in the bill.
- IT contractors and vendors for SBA projects — Primes and subs will face stricter selection criteria, increased documentation requirements (traceability, detailed risk records), and expectations for GAO‑compliant schedules and cost estimates, which can increase bid and delivery costs.
- SBA program and project managers — Managers will inherit more prescriptive governance, added reporting chores, and potentially longer planning cycles as projects are made to meet the bill’s documentation and scheduling standards.
Key Issues
The Core Tension
The central dilemma is between imposing rigorous, GAO‑based planning and risk‑management standards to reduce program failures, and preserving the speed and flexibility needed to modernize IT systems with limited agency resources; stronger documentation and controls improve oversight and accountability but risk slowing delivery and increasing costs at an agency that receives no additional funding in the bill.
The statute converts specific GAO recommendations into enforceable agency obligations without providing implementation funding. That raises an immediate implementation question: can the CIO and program offices satisfy the new documentation, scheduling, and cost‑estimating requirements within existing budgets and staff levels, or will compliance divert resources from ongoing projects?
The absence of appropriations means delays and re-prioritization are likely unless SBA secures additional funding through other channels.
Another practical tension is overlap and alignment with existing federal IT governance: OMB policy, agency CIO directives, FedRAMP, and existing SBA acquisition rules already constrain many aspects of IT procurement, risk management, and security. The bill prescribes GAO‑style artifacts (traceability analyses, GAO‑standard schedules and cost estimates) that may not map neatly onto current templates or acquisition timelines.
Agencies can meet the letter of the law by producing documents that satisfy GAO formats but add administrative burden without improving outcomes. Finally, the bill lacks an express enforcement or audit schedule beyond the initial briefing, which leaves open how Congress or GAO will verify implementation quality over time.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.