An audit by the Office of Inspector General (OIG) has found that the Federal Emergency Management Agency (FEMA) did not always secure information stored on mobile devices.
Mobile devices, such as smartphones and tablets, are critical for FEMA’s workforce to successfully complete its mission. While mobile devices increase workforce mobility and productivity, they also introduce risks including cyber threats or loss of sensitive government data.
As of May 2022, FEMA had approximately 67,000 mobile devices in its inventory — 23,000 issued devices and 17,000 pending disposal. A FEMA official told OIG that the remaining 27,000 devices were ready to deploy. FEMA uses a cloud-based mobile device management (MDM) system to secure and manage its mobile devices. The MDM performs several important functions, such as connecting mobile devices to FEMA’s network, monitoring the security and configuration settings on the devices, and removing data upon disposal.
OIG said in its July 7 report that FEMA did not ensure employees followed Department of Homeland Security policy which requires documenting the removal of all data (a process known as sanitization) that were disposed of, lost, stolen, or taken on international travel.
According to FEMA’s sanitization guidance, once the device has been sanitized, FEMA’s Mobile Service Center (MSC) is required to complete a sanitization certificate certifying all data has been made inaccessible. FEMA provides additional guidance, which requires all fields in the sanitization certificate to be filled out prior to returning the device to the employee. A copy of the sanitization certificate must be attached to the device, and another copy must be retained for three years. However, OIG found that no guidance is provided for handling the form when lost or stolen devices are sanitized.
During fiscal years 2020 through 2021, OIG identified a total of 16,444 mobile devices that required sanitization. Specifically, in FYs 2020 through 2021, FEMA reported 15,330 disposals and 1,114 lost or stolen devices. Additionally, FEMA reported no devices taken on international travel during FYs 2020 through 2021. OIG stated that there were 39 instances of devices taken on authorized international travel from November 2021 through June 2022 that were required to be sanitized.
OIG said MSC could not provide sanitization certificates for any of the 16,444 mobile devices disposed of, lost or stolen during FYs 2020 and 2021. Staff said they were unaware sanitization certificates were required and said they did not have them for any of the devices in the audit.
FEMA’s Office of the Chief Information Officer has the capability to issue a remote wipe command to a device. OIG reviewed the data logs from the MDM to determine whether MSC sent wipe commands to erase all data stored on the lost or stolen phones. Although FEMA employees reported 890 lost or stolen smartphones in FYs 2020 and 2021, OIG found MSC only sent wipe commands to 50 of the 890 (6 percent) devices.
Additionally, the audit determined that FEMA did not always disable unauthorized mobile devices taken outside the United States or its territories, as required by DHS policy, which prohibits employees from taking their government-issued mobile devices internationally for any personal or official foreign travel, unless specifically authorized by their supervisor. If an unauthorized device is detected internationally, it must be disabled. However, OIG said FEMA only disabled two of the nine unauthorized devices (22 percent) detected internationally in the watchdog’s sample.
This occurred, OIG said, because FEMA is only disabling devices identified as having been detected in hostile countries on the International Traffic in Arms Regulations (ITAR). The two disabled devices in OIG’s sample were both detected in countries on the ITAR list. In one example, FEMA identified an employee who brought a FEMA-issued mobile device to Iraq without authorization and connected it to the FEMA network. In the second instance, an employee accessed FEMA’s network from Port-au-Prince, Haiti. According to the results of the investigations, these employees were not authorized for official travel and violated FEMA policy.
As part of its audit, OIG conducted a technical review and testing of FEMA’s MDM system and applications to determine whether security settings were properly configured on mobile devices, and if FEMA’s mobile applications were updated to prevent unauthorized access to information stored, accessed, and processed by the mobile devices.
To this end, OIG found that FEMA’s configuration management controls comply with the Defense Information Systems Agency Security Technical Implementation Guides. These controls provide reasonable assurance that the mobile device management system enforces security controls and that FEMA’s mobile devices are configured and operating securely, as intended.
However, in its technical review of FEMA’s security management controls, specifically the vulnerability and patch management, OIG identified six vulnerabilities that could potentially expose the devices to mobile application attacks. For example, one vulnerability may provide users with more access than required, while another may lead to weak temporary passwords. FEMA was already taking steps to remediate the vulnerabilities at the time of the audit. To address the other shortcomings found in its audit, OIG has made four recommendations to FEMA:
- Develop and implement a process, with specific roles and responsibilities, for sanitizing mobile devices prior to disposition.
- Update existing guidance with the proper sanitization steps for all lost or stolen mobile devices.
- Implement and formally communicate to employees the requirement to document sanitization of mobile devices taken outside the United States or its territories, on authorized travel upon employees’ return to the United States from such travel.
- Update FEMA’s Response Playbook Standard Operating Procedure to comply with the Joint DHS Office of the Chief Security Officer and Office of the Chief Information Officer Guidance on Foreign Travel, requiring the disabling of all unauthorized mobile devices that have been taken on international travel.
FEMA has concurred with all four recommendations and expects to complete work to meet them by the end of this calendar year.