FEMA still lags on IT coordination, watchdog says

The Department of Homeland Security's inspector general says FEMA has improved the way it handles IT projects since the last audit in 2011, but work remains.


The Federal Emergency Management Agency has improved IT planning but has not been able to institute proposed governance changes, according to a new report.

The Department of Homeland Security's Office of Inspector General said FEMA has struggled to act on a proposed new IT management policy created in the wake of a critical 2011 report.

The OIG said part of the problem in implementing agencywide IT governance is the fact that the CIO does not have sufficient control or budget authority to lead in an increasingly decentralized IT environment.

FEMA, which spent $450 million on IT in fiscal 2014, has a CIO continuity issue that aggravates the governance problem, according to the OIG. In the past 10 years, the agency has had six CIOs who were appointed or served in an acting capacity, with an average tenure of 15 months. In the past three years, FEMA has had four CIOs.

FEMA's CIO is only directly responsible for $170 million, or about 38 percent, of the agency's overall IT spending.

The OIG recommended that FEMA finalize its plans for an IT governance board endowed with decision-making authority for the entire agency, rather than keeping that authority spread among nearly a dozen entities.

The report also recommends that FEMA implement and enforce an agencywide process to define and prioritize requirements for acquisition, development, and operations and maintenance of its IT systems.

"As a result of system limitations, end users engage in inefficient, time-consuming business practices that can increase the risk that disaster assistance and grants could be delayed and duplication of benefits can occur," the report states.

Additionally, the OIG said the current CIO was diverted from implementing reforms because of the demands of a critical CyberStat review by the Office of Management and Budget, the National Security Council and DHS that found "significant deficiencies" in FEMA's security posture. Fixing security problems while creating a larger IT modernization plan at the request of FEMA's deputy administrator took attention away from the governance issues cited in the OIG's report.

FEMA officials said they will finish strategic and organizational planning by the end of this year and expect to begin moving on key modernization projects -- including switching to cloud-based email, closing gaps in cybersecurity, and modernizing and integrating key business systems -- by the end of March 2016.

By July 2016, they plan to have agencywide IT acquisition standards in place that centralize budgeting and investment and put IT projects on an incremental development basis.