Audit finds gaps in FEMA's database security

By Chris Strohm cstrohm@govexec.com November 7, 2005

An audit released Monday found weaknesses in a central database used by the Federal Emergency Management Agency, meaning that sensitive information has been susceptible to hackers and attacks.

The audit, which was redacted for public release, concluded that the Homeland Security Department's Emergency Preparedness and Response Directorate failed to establish adequate or effective database security measures for its information technology network, which is called the National Emergency Management Information System. NEMIS is used by FEMA for incident tracking and coordination; allows individuals and small businesses to apply for assistance; and processes state requests for funding of hazard mitigation projects.

Auditors found at least 56 vulnerabilities, including a lack of effective procedures for granting, monitoring and removing user access. The report also cited the need for contingency training and testing to respond to an attack, and the need to provide system administrators with specialized security training.

"Due to these database security exposures, there is increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," the report stated. "In addition, EP&R may not be able to recover NEMIS following a disaster."

The audit was conducted by the department's inspector general and was based on research and field work completed by January 2005.

In a written response to the report, department officials said that they agreed with the auditors' findings and recommendations, and had taken steps to improve security.

DHS is implementing 71 out of 100 recommendations made by the auditors, stated Barry West, FEMA's chief information officer, in an Aug. 10 letter. FEMA spokeswoman Nicol Andrews said the agency is addressing the remaining recommendations.

At the time the audit was conducted, the EP&R directorate was managed by Michael Brown, who resigned in September under mounting criticism regarding how FEMA handled the response to Hurricane Katrina.

The directorate was abolished last month, however, in favor of a new Preparedness Directorate, which will include an assistant secretary for cyber and telecommunications security. FEMA has become a stand-alone agency reporting directly to Homeland Security Secretary Michael Chertoff.

The fiscal 2006 DHS budget, which President Bush signed last month, provides $4 billion for the creation of the new preparedness directorate. Additionally, Bush recently named George Foresman to manage it. Foresman currently serves as assistant for preparedness to Virginia's governor, where he is the principal adviser and overall coordinator for homeland security, preparedness and relations with military commands and the private sector.

Post a Comment

To post a comment, you must provide a name and a valid e-mail address. Messages must be limited to 400 words. By using this Service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Government Executive does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.

Audit finds gaps in FEMA's database security
*
*
*

RELATED STORIES

GovExec Live!

The government's mileage reimbursement rate rose to 48.5 cents in the aftermath of Hurricane Katrina and is likely to stay put until at least the end of the year, even though gas prices are falling. The General Services Administration has instituted higher per diem rates for employees traveling on official government business in hurricane-ravaged areas.

At 12 p.m. EST on Wed., Nov. 9, GovExec.com reporter Daniel Pulliam will answer your questions about these and other recent travel-related developments. You can submit your questions early or during the live online discussion.