Federal Reports

The enclosed report presents the results of the audit of the Commission’s financial statements for the fiscal year ended September 30, 2018

Following the January 13, 2018, false missile alert in Hawaii, Congress requested we examine the Federal Emergency Management Agency’s (FEMA) role in the incident. We concluded that FEMA has limited responsibility for the sending and canceling of state and local alerts. Following the Hawaii false missile alert, three U.S. Senators proposed legislation to define the federal government’s role during false missile alerts, as well as to direct FEMA to recommend best practices in the alerting process. We also identified two areas of concern regarding FEMA’s overall oversight of IPAWS. Although FEMA maintains IPAWS as a messaging platform, state and local alerting authorities must obtain commercially-available emergency alert software to generate a message which passes through IPAWS for authentication and delivery. However, we found that FEMA does not require that this software perform functions critical to the alerting process, such as the ability to preview or cancel an alert. Instead, FEMA only recommends that software vendors include these capabilities as “best practices.”

Our objective was to assess whether Decision Analysis Reports (DAR) I and II cybersecurity investments’ stated performance metrics aligned with the Corporate Information Security Office (CISO) strategic and cost objectives.