The Federal Emergency Management Agency (FEMA) did not consistently apply the information technology (IT) access controls needed to restrict unnecessary access to its systems and information. Specifically, FEMA did not promptly remove or adjust system and information access when personnel separated or changed positions.
Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
2 | No | $0 | $0 | ||
We recommend the FEMA Chief Security Officer develop and implement internal controls to monitor and enforce supervisors and contracting officer’s representatives’ compliance with the Access Lifecycle Management system’s offboarding process for removing IT access. | |||||
3 | No | $0 | $0 | ||
We recommend the FEMA Chief Security Officer implement a process to identify and verify that transferred personnel’s unneeded access is removed in accordance with FEMA requirements. | |||||
4 | No | $0 | $0 | ||
We recommend the FEMA Office of the Chief Information Officer implement a standardized process to conduct and monitor privileged and service account reviews in accordance with FEMA requirements. | |||||
5 | No | $0 | $0 | ||
We recommend the FEMA Office of the Chief Information Officer remove the unnecessary privileges that allowed additional users to access the sensitive security account we identified. | |||||
6 | No | $0 | $0 | ||
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon. | |||||
7 | No | $0 | $0 | ||
We recommend the FEMA Office of the Chief Information Officer implement automated tools or additional controls and policies to change service account passwords as required and prevent interactive logon standards where possible or submit requests for waivers or risk acceptance to the DHS Chief Information Security Officer to forgo this setting on affected FEMA service accounts. |