An audit by the Office of Inspector General has found that the Federal Emergency Management Agency (FEMA) did not consistently apply the information technology access controls needed to restrict unnecessary access to its systems and information.
Specifically, OIG found that FEMA did not promptly remove or adjust system and information access when personnel separated or changed positions. For example, 75 percent of the accounts for separated personnel that OIG examined remained active beyond the individual’s last workday.
In 2019, FEMA implemented a process in which supervisors and contracting officer’s representatives must use the Access Lifecycle Management (ALM) system to schedule access removals for separating individuals’ last workday. However, OIG noted in its report that FEMA supervisors and contracting officer’s representatives did not consistently use ALM to schedule timely removals as required. Instead, they often relied on automated backup controls that eventually disable an individual’s account when other personnel actions occur, such as when an employee’s pay status changes in the National Finance Center database or if an individual’s personal identity verification card becomes inactive. OIG found that FEMA used these backup controls to deactivate most accounts that were not scheduled for disablement through the ALM process. Specifically, 214 of the 263 accounts that were not promptly deactivated were disabled by the backup controls. As a result, 81 percent of those who maintained access beyond their last workday did not have their account disablement scheduled in ALM as required by FEMA.
The audit also found that FEMA did not monitor and configure privileged user access, service accounts, and access to sensitive security functions as required.
In addition, FEMA also did not have a process to ensure unneeded access privileges were removed when individuals transferred offices within the component. OIG identified 2,797 individuals who transferred offices within FEMA from October 2020 through January 2022 and FEMA could not demonstrate that it had removed access privileges no longer needed for these individuals’ new positions.
This is not the first time that the Department of Homeland Security (DHS) watchdog has had cause to be critical of access control efforts. For example, it reported the U.S. Citizenship Immigration Services did not consistently apply the IT access controls needed to restrict unnecessary access to its systems, information, and network as well as finding that DHS did not consistently revoke personal identity verification cards and withdraw security clearances for individuals that no longer worked for the Department, increasing the risk of unauthorized access to systems and facilities.
OIG said the recently discovered deficiencies at FEMA stemmed from insufficient internal controls and day-to-day oversight to ensure access controls were administered appropriately and effectively to prevent unauthorized access.
Federal systems are prime targets for cyber attack and therefore require vigilant access controls. During the 2020 SolarWinds incident for example, external attackers breached cyber defenses to gain access to Federal Government networks. Once inside the networks, the attackers successfully set up permissions for themselves to access other programs and applications while being undetected. Attacks can also come from within an organization when employees or contractors who use their authorized access to do harm. Access controls ensure that only authorized users have mission-related access to an organization’s networks, systems, and information. But when these controls are not fully implemented, a cyber attack has the potential to wreak havoc across not only that agency but the whole of the United States.
Based on OIG’s testing, FEMA did not implement all the required security settings and address vulnerabilities timely for its IT systems and workstations. OIG said this occurred because FEMA was concerned updates might negatively impact system operations and because it faced operational challenges. For example, DHS IT Security Policy requires that all service accounts be appropriately encrypted. However, OIG identified 48 service accounts that did not meet encryption requirements. FEMA told OIG that it did not appropriately encrypt the service accounts because it believed the required level of encryption could negatively affect operations for its legacy IT assets.
The deficiencies identified during the audit exposed FEMA’s network and IT systems to risks of compromise by potential attackers, OIG said, adding that these deficiencies could have limited the Department’s overall ability to reduce the risk of unauthorized access to its network, which may disrupt mission operations. Additionally, FEMA’s security settings on systems and workstations may limit its ability to overcome a major cybersecurity incident or to mitigate an access control weakness if an unauthorized individual gains access.
OIG has made ten recommendations to FEMA with which it has concurred. The agency explained planned actions to be taken and already underway to address the shortcomings. In FY 2020 for example, FEMA’s Office of the Chief Information Security Officer (OCISO) Identity, Credential, and Access Management Division chartered a study to assess FEMA’s readiness to move to the cloud and explore options for modernized identity and access management. In October 2022, FEMA OCISO established the FEMA Enterprise Cloud Authentication Provisioning Services (FECAPS) program. FECAPS will modernize identity and access management with a Software as a Service solution to mature the Identity Access Zero Trust Architecture pillar. FEMA also noted that since September 2022, it has upgraded its software scanning tools.
