The Department of Homeland Security’s inspector general said it would launch a comprehensive audit of the Federal Emergency Management Agency’s IT approach after it said the agency’s CIO misled them on progress resolving issues from prior audits.
In a Feb. 26 notice, the IG said that despite numerous compliance reports tracking FEMA’s progress on five recommendations from a 2015 audit of the agency’s IT management, the agency had only closed one recommendation.
During a subsequent verification review in December 2017, investigators said the justification FEMA CIO Adrian Gardner provided for closing that recommendation — that he finalized an IT Governance Board charter — “was misleading,” and that the board procedures taken hadn’t met the intent of the recommendation.
The IG also said Gardner claimed he had included a fiscal 2018 performance plan to close the remaining recommendations, but OCIO officials said he actually removed the funding and staff resources needed to complete it.
Due to a decentralized IT management infrastructure within the agency, FEMA’s office of the CIO faced a host of problems that the IG has been documenting since 2005, including frequent turnover in the CIO position, multiple IT management plans that were never fully executed, current IT systems that weren’t integrated agencywide and other problems.
The IG offered five recommendations in the 2015 report to help streamline FEMA’s IT modernization efforts and empower its CIO, who, it said, only accounted for 38 percent of the agency’s $450 million in IT spending in fiscal 2014.
Those recommendations included:
- That the FEMA CIO finalize necessary IT planning documents that reflect the current IT strategy of the organization and IT modernization initiatives
- That the FEMA CIO Execute the planning documents, using the milestones and metrics included in them to evaluate FEMA’s long-term progress in improving its IT management and operations.
- That the FEMA CIO finalize an IT Governance Board charter and expand the capacity of the board to make it the IT decision-making authority for the agency and its modernization plans.
- That the FEMA CIO implement a plan of action and milestones to address the integration and reporting limitations of existing systems.
- That the FEMA CIO implement and enforce a standardized, agency-wide process that sufficiently defines and prioritizes the acquisition, development, operation, and maintenance requirements for all systems.
IG officials said that six compliance reports and recent work has shown that the agency was no closer to completing the recommendations. Issues with the previously closed recommendation, the office said, had caused them to take a deeper look at FEMA’s ongoing IT management problems, especially for tracking disaster relief appropriations in the wake the 2017 hurricane season.
“Many of the issues we reported based on our prior audits in 2005, 2011 and 2015 remain unchanged, with adverse impact on day-to-day operations and mission readiness,” the report said. “Given these deficiencies, we are suspending our verification review and will initiate a more comprehensive audit of FEMA’s IT management approach. We expect that this new audit will assist FEMA in resolving its longstanding IT issues, which can hamper disaster response efforts.”
A FEMA spokesperson said in an email that the agency was committed to addressing the OIG’s concerns.
“FEMA takes the contents of the OIG’s Management Alert seriously and are taking steps to address the OIG’s concerns, and we are committed to an improved Information Technology Governance Board,” the spokesperson said.
Officials from the inspector general’s office were not immediately available for contract.