FEMA struggles with financial systems controls

By Meg Beasley
Federal News Radio

The Federal Emergency Management Agency financial management systems continue to have cybersecurity vulnerabilities and lack contingency plans for its databases.

A new report released Monday by the Office of the Inspector General at the Department of Homeland Security (DHS) details FEMA’s ongoing problems in securing their systems. Auditor say the agency failed to resolve 22 of the 58 findings, while the other 36 are new weaknesses.

Inspectors also found FEMA was not in compliance with the Federal Financial Management Improvement Act of 1996 (FFMIA). This legislation aims to ensure that agency financial systems provide accurate, reliable and timely information.

The most serious problems are related to controls over security management, access to programs and data, program changes and contingency planning. Inspectors say that together, these deficiencies “limited FEMA’s ability to ensure that critical financial and operational data were maintained in such a manner to ensure confidentiality, integrity, and availability.”

For example, FEMA has no alternate site or backup controls for the National Emergency Information System. Auditors also say sensitive information systems are not sufficiently protected by passwords and codes, noting unlimited access by contractors and developers to the production environment.

“The majority of the findings resulted from the lack of properly designed, detailed and consistent guidance over financial system controls to enforce DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program, requirements and National Institute of Standards and Technology guidance,” the report states.

FEMA did address some weaknesses identified in the fiscal 2008 audit, such as implementing agreements for cooperation with external agencies and making progress in certifying certain user accounts, auditors say.

In a letter to IG, FEMA’s chief information officer Jean Etzel agreed with the report’s findings.

“FEMA develops and maintains a detailed plan of action and milestones for each audit recommendation… We believe these [plans] provide the specific responses to each audit recommendation requested,” she wrote.

Meg Beasley is an intern with Federal News Radio.

(Copyright 2010 by FederalNewsRadio.com. All Rights Reserved.)