FEMA Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

Date Issued

Friday, February 17, 2023

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Components

Federal Emergency Management Agency (FEMA)

Report Number

OIG-23-16

Report Description

The Federal Emergency Management Agency (FEMA) did not consistently apply the information technology (IT) access controls needed to restrict unnecessary access to its systems and information. Specifically, FEMA did not promptly remove or adjust system and information access when personnel separated or changed positions.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
2	No	$0	$0
We recommend the FEMA Chief Security Officer develop and implement internal controls to monitor and enforce supervisors and contracting officer’s representatives’ compliance with the Access Lifecycle Management system’s offboarding process for removing IT access.
3	No	$0	$0
We recommend the FEMA Chief Security Officer implement a process to identify and verify that transferred personnel’s unneeded access is removed in accordance with FEMA requirements.
4	No	$0	$0
We recommend the FEMA Office of the Chief Information Officer implement a standardized process to conduct and monitor privileged and service account reviews in accordance with FEMA requirements.
5	No	$0	$0
We recommend the FEMA Office of the Chief Information Officer remove the unnecessary privileges that allowed additional users to access the sensitive security account we identified.
6	No	$0	$0
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon.
7	No	$0	$0
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon standards where possible or submit requests for waivers or risk acceptance to the DHS Chief Information Security Officer to forgo this setting on affected FEMA service accounts.