No Quick Fix

The Federal Emergency Management Agency's financial management system is in trouble, but the solution to its problems could be several years away. That's a lifetime in the cyber world.

Information Week reports that an audit comissioned by the Homeland Security Department's inspector general found 22 problems with FEMA's system that disregard federal cybersecurity regulations.

Vulnerabilities found and corrective actions taken regarding the National Emergency Information System weren't reported and tracked, the certification and accreditation for FEMA's networks didn't include the LAN on which FEMA's primary financial apps reside, and the certification and accreditation for parts of a flood insurance system was expired.

FEMA also had access control problems. KPMG found password, patch management, and security configuration problems on servers supporting financial and support systems. User account control was another problem, as accounts weren't reviewed for appropriateness, weren't disabled or removed promptly after employees were fired, and weren't documented properly upon being handed out. Strong passwords weren't enforced on several systems, including access to FEMA's LAN.

Given how quickly threats change, there's a pressing need for agencies to fix holes in their systems in a very short timeframe. The audit suggested that FEMA's problems could take serveral years to correct, but what else will arise in the meantime?