Watchdog: FEMA Needs Better Plan for ‘Cobbled Together’ IT Systems

The Federal Emergency Management Agency needs to switch from disaster mode and begin to think more long term when it comes to upgrading its IT environment.

That’s according to a recent report from the Government Accountability Office, which reviewed the agency’s IT modernization plans.

By its own admission, FEMA’s IT environment is a tangled morass of systems and applications riddled with duplication and inefficiencies.

The agency’s current systems “have been neglected or cobbled together based on immediate needs ... often without an orchestrated FEMA-wide approach for acquiring and managing IT,” GAO auditors wrote in report, which was published May 5.

For example, the agency’s systems, by and large, are not “intuitive,” the report noted. Employees “spend significant time” logging into various systems just to complete basic forms. Employees at regional sites have to remember 18 to 20 passwords “to access systems that minimally support their work needs,” auditors noted.  

More than half of the agency’s physical servers are more than 5 years old, “increasing the risk of hardware failures that could affect the delivery of mission-essential systems,” GAO noted.

FEMA spent about $366.4 million of its $14.7 billion budget on IT investments last year, according to agency data.

FEMA has been working to upgrade some systems as part of a broader IT modernization effort. But the agency is working from a dated playbook, GAO said.

The agency is working from a strategic plan that hasn’t been updated since 2013, even though officials are supposed to update it annually.

FEMA IT officials acknowledged the original strategy is no longer up to date.

“The CIO explained that updating the current strategic plan had not been a priority and the agency would rather spend resources on developing a new plan that incorporates a global FEMA IT strategic vision,” auditors characterized the agency’s response.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

That new approach is a 5-year IT modernization plan based on results from a “resiliency review” of the agency’s IT systems and findings from the “cybersecurity sprint,” the governmentwide cyber check-up initiated last summer by the White House in the wake of the massive personnel records hack, officials told GAO.

The draft modernization plan was finished in December but was still awaiting final review at the time of GAO’s review. FEMA officials at the time were unable to provide a date for when the revised modernization plan would be completed.

“As a result, the agency is limited in its ability to move toward its goal to modernize its systems and eliminate duplicative IT investments,” GAO concluded. In follow-up comments, the agency said it planned to have final sign-off on the plan by the end of April. Nextgov has requested comment from FEMA.

Lawmakers requested the GAO review to gauge FEMA’s progress implementing the 2006 Post-Katrina Emergency Management Reform Act. That legislation required FEMA to address longstanding shortcomings in agency management, including improving the agency’s IT programs, that became clear after Hurricane Katrina ravaged the Gulf Coast in 2005.

GAO also made recommendations for shoring up the agency’s investment review board -- made up of senior IT executives and other agency officials -- which selects and oversees IT investments. In addition, auditors recommended FEMA come up with a plan for plugging skills gaps in the agency’s IT shop, which employs 300 federal employees and some 228 contractors.