News from the Department of Homeland Security OIG
Having trouble viewing this email? View it as a Web page.

February 17, 2023 Office of Public Affairs: dhs-oig.officepublicaffairs@oig.dhs.gov

FEMA Should Improve Controls to Restrict Unauthorized Access to Its Systems and Information

The Federal Emergency Management Agency (FEMA) did not consistently apply the information technology (IT) access controls needed to restrict unnecessary access to its systems and information. Specifically, FEMA did not promptly remove or adjust system and information access when personnel separated or changed positions. For example, 75 percent of the accounts for separated personnel we examined remained active beyond the individual’s last workday. Additionally, FEMA did not monitor and configure privileged user access, service accounts, and access to sensitive security functions as required. These deficiencies stemmed from insufficient internal controls and day-to-day oversight to ensure access controls were administered appropriately and effectively to prevent unauthorized access.

Based on our testing, FEMA did not implement all the required security settings and address vulnerabilities timely for its IT systems and workstations. This occurred because FEMA was concerned updates might negatively impact system operations and because it faced operational challenges.

The deficiencies identified during this audit exposed FEMA’s network and IT systems to risks of compromise by potential attackers. Additionally, these deficiencies could have limited the Department’s overall ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations.

Read Report No. OIG-23-16

U.S. DEPARTMENT OF HOMELAND SECURITY, OFFICE OF INSPECTOR GENERAL
WWW.OIG.DHS.GOV l TWITTER: @DHSOIG