With Hurricane Dorian crawling toward the East Coast of the United States, the Federal Emergency Management Agency (FEMA) is far short of federally mandated IT management practices, according to an Aug. 30 report from the Department of Homeland Security Office of Inspector General.

“FEMA has not established an IT strategic plan, architecture, or governance framework to facilitate day-to-day management of its aging IT systems and equipment,” the IG wrote, describing FEMA’s IT investments as “a critical asset” of its disaster response and recovery operations.

“We attribute these deficiencies to the FEMA Chief Information Officer’s limited authority to manage IT agencywide, as well as to a decentralized resource allocation approach that hinders funding for the centralized IT environment.”

The shortfalls found by the inspector general during FEMA’s response to hurricanes and fires in 2017 have been perennial problem for the disaster recovery agency, with the report adding that these problems “are not new, and were reported in prior Office of Inspector General audits throughout the last 13 years.”

The report found that FEMA has not provided its personnel with IT systems needed for effective response and recovery operations. According to the report, the technology used by FEMA employees did not always contain real-time data or did not support information sharing with external partners.

“We attribute these deficiencies to an inadequate focus on funding to support IT modernization efforts. As a result, field personnel engage in time-consuming, manual processes to accomplish mission tasks,” the IG wrote.

In one example, FEMA employees used personal laptops instead of FEMA’s systems in order “to keep pace with mission requirements." This is a concept called “shadow IT,” which creates significant cybersecurity risk for agencies.

FEMA was busy in 2017, responding to an “unprecedented” amount of disasters that year, most notably Hurricanes Irma, Maria and Harvey, which all struck within a one-month period. Shortly after, FEMA had to respond to major wildfires in California. All together, these disasters affected 47 million Americans, or 15 percent of the population.

FEMA does not do any IT strategic planning or enterprise architecture development, practices that have been required for federal agencies for over two decades, the report said.

“Without an IT strategic plan, FEMA cannot effectively identify how it will leverage new technology to reduce operational complexity, increase efficiency, and improve mission outcomes,” the IG wrote.

These shortfalls have resulted in “uncoordinated, uninformed, and reactionary IT spending” that pushed FEMA well over its IT budget. In fiscal year 2018, FEMA’s IT spend exceed its approve IT budget by $56 million, putting the final cost to taxpayers over $452 million. It also led to “ad hoc” reprogramming of CIO initiatives and reallocation of funding from other IT programs.

The IG wrote that it found deficient enterprise IT architecture in 2005 and 2011. In 2011, the CIO worked to have an architecture baselines, but the report found it was never completed because of staffing and funding shortages.

The CIO of FEMA, the report found, does not have the adequate authority to manage the agencywide IT environment. Under federal law, CIOs must have authority to increase efficiency of agency operations and invest in IT solutions. In many cases throughout the government, the CIO has a direct reporting relationship with the agency head — but not at FEMA. Additionally, the FEMA CIO only has authority over 22 systems of nearly 100 major FEMA IT systems. Less than 50 percent of FEMA’s IT staff report to the CIO.

“Decentralized management of funds leaves the CIO without visibility of program office IT spending and the ability to plan for effective agencywide support," the IG wrote. "As a result, the OCIO has struggled to balance unplanned IT spending for operations, maintenance, and cybersecurity against long-term system upgrades and modernization efforts.”

This is the DHS inspector general’s fifth report on FEMA’s IT challenges, according to the report. The others were issued in 2005, 2008, 2011 and 2015, and resulted in 20 recommendations, some of which have still not been addressed.

The DHS inspector general gave four new recommendations:

  1. Give the CIO the necessary IT authority.
  2. Promote IT planning and management
  3. Create a strategic plan to define an agency vision for IT, as well as a funding plan, to more efficiently invest.
  4. Develop a modernization approach that includes resolving IT integration, information sharing and reporting deficiencies.

FEMA concurred with all four recommendations.