Stay Informed
of New Reports
Twitter
Where To Report Waste
Fraud, Abuse, Or Retaliation
Where To Report Waste Fraud, Abuse, Or Retaliation

FEMA Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

Submitting OIG: 
Department of Homeland Security OIG
Report Description: 
The Federal Emergency Management Agency (FEMA) did not consistently apply the information technology (IT) access controls needed to restrict unnecessary access to its systems and information. Specifically, FEMA did not promptly remove or adjust system and information access when personnel separated or changed positions.
Date Issued: 
Friday, February 17, 2023
Agency Reviewed / Investigated: 
Department of Homeland Security
Submitting OIG-Specific Report Number: 
OIG-23-16
Component, if applicable: 
Federal Emergency Management Agency (FEMA)
Location(s): 
Agency-Wide
Type of Report: 
Audit
Questioned Costs: 
$0
Funds for Better Use: 
$0
Number of Recommendations: 
10
Additional Details Link: 
https://www.oig.dhs.gov/sites/default/files/assets/2023-02/OIG-23-16-Feb23.pdf

Related Open Recommendations

Recommendation Number Recommendation Status Significant Recommendation Additional Details
1 Open No
We recommend the FEMA Chief Security Officer provide training to supervisors, contracting officer’s representatives, contracting officers, human resource liaisons, and timekeepers on FEMA’s offboarding processes for removing IT access.
2 Open No
We recommend the FEMA Chief Security Officer develop and implement internal controls to monitor and enforce supervisors and contracting officer’s representatives’ compliance with the Access Lifecycle Management system’s offboarding process for removing IT access.
3 Open No
We recommend the FEMA Chief Security Officer implement a process to identify and verify that transferred personnel’s unneeded access is removed in accordance with FEMA requirements.
4 Open No
We recommend the FEMA Office of the Chief Information Officer implement a standardized process to conduct and monitor privileged and service account reviews in accordance with FEMA requirements.
5 Open No
We recommend the FEMA Office of the Chief Information Officer remove the unnecessary privileges that allowed additional users to access the sensitive security account we identified.
6 Open No
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon.
7 Open No
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon standards where possible or submit requests for waivers or risk acceptance to the DHS Chief Information Security Officer to forgo this setting on affected FEMA service accounts.
8 Open No
We recommend the FEMA Office of the Chief Information Officer submit its FEMA Enterprise Compliance Baselines Standard Operating Procedure to the DHS Chief Information Security Officer to verify FEMA’s compliance with DHS’ waiver and risk acceptance requirements for Security Technical Implementation Guides settings that are not implemented.
9 Open No
We recommend the FEMA Office of the Chief Information Officer perform an evaluation to identify additional automated tools to help address known vulnerabilities within required timeframes and implement where possible or formally accept the risk in accordance with DHS requirements.
Displaying 9 of 9 Recommendations