FEMA awarded more than $22 billion in grants for four major disasters in 2017 alone. It manages these and other grants in numerous, disparate information technology systems that it has been attempting to modernize.
FEMA first attempted to modernize these systems in 2008 but experienced significant challenges. In 2015, the agency initiated the Grants Management Modernization (GMM) program, aimed at streamlining and modernizing the grants management IT environment.
The Government Accountability Office (GAO) has reviewed the GMM program and published its findings on April 9. Of six important leading practices for effective business process reengineering and information technology (IT) requirements management, GAO found that FEMA fully implemented four and partially implemented two for the GMM program. The practices fully implemented were to ensure executive leadership support for process reengineering, assess the current and target business environment and performance goals, track progress in delivering IT requirements, and incorporate input from end user stakeholders.
GAO found however that FEMA has not yet fully established plans for implementing new business processes; nor has it established clear, prioritized and traceable IT requirements.
Until FEMA fully implements the remaining two practices, it risks delivering an IT solution that does not fully modernize FEMA’s grants management systems.
While GMM’s initial May 2017 cost estimate of about $251 million was generally consistent with leading practices for a reliable, high-quality estimate, it no longer reflects current assumptions about the program. FEMA officials stated in December 2018 that they had completed a revised cost estimate, but it was undergoing departmental approval. GMM’s program schedule was inconsistent with leading practices; of particular concern was that the program’s final delivery date of September 2020 was not informed by a realistic assessment of GMM development activities, and rather was determined by imposing an unsubstantiated delivery date.
Of five key cybersecurity practices, GAO reported that FEMA fully addressed three and partially addressed two for GMM. Specifically, it categorized GMM’s system based on security risk, selected and implemented security controls, and monitored security controls on an ongoing basis. However, the program had not initially established corrective action plans for 13 medium- and low-risk vulnerabilities. This conflicts with the Department of Homeland Security’s guidance that specifies that corrective action plans must be developed for every weakness identified. Until FEMA, among other things, ensures that the program consistently follows the department’s guidance on preparing corrective action plans for all security vulnerabilities, GMM’s system will remain at increased risk of exploits.
Given FEMA’s highly complex grants management environment, with its many stakeholders, IT systems, and internal and external users, implementing leading practices for business process reengineering and IT requirements management is critical for success. GAO acknowledged that FEMA has taken many positive steps, including ensuring executive leadership support for business process reengineering, documenting the agency’s grants management processes and performance improvement goals, defining initial IT requirements for the program, incorporating input from end user stakeholders into the development and implementation process, and taking recent actions to improve its delivery of planned IT requirements. Nevertheless, GAO believes that until the GMM program finalizes plans and time frames for implementing its organizational change management actions, plans and communicates system transition activities, and maintains clear traceability of IT requirements, FEMA will be limited in its ability to provide streamlined grants management processes and effectively deliver a modernized IT system to meet the needs of its large range of users.
The April 9 report notes that while GMM’s initial cost estimate was reliable, key assumptions about the program since the initial estimate had changed and, therefore, it no longer reflected the current approach for the program. The forthcoming updated cost schedule is expected to better reflect the current approach. However, GAO says the program’s schedule to fully deliver GMM by September 2020 is “aggressive and unrealistic”.
GAO has made eight recommendations, with which FEMA concurs:
- The GMM program management office should finalize the organizational change management plan and time frames for implementing change management actions.
- The GMM program management office should plan and communicate its detailed transition activities to its affected customers before they transition to GMM and undergo significant changes to their processes.
- The GMM program management office should implement its planned changes to its processes for documenting requirements for future increments and ensures it maintains traceability among key IT requirements documents.
- The GMM program management office should update the program schedule to address the leading practices for a reliable schedule.
- The FEMA Office of the Chief Information Officer (OCIO) should define sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls.
- The FEMA OCIO should approve a security assessment plan before security assessment reviews are conducted.
- The GMM program management office should follow DHS guidance on preparing corrective action plans for all security vulnerabilities.
- The GMM program management office should fully test all of its security controls for the system.
After hiring master schedulers in October 2018 and taking other steps such as building a program level release plan, FEMA estimates it will complete recommendation 4 by the end of April this year. All other recommendations are estimated to be completed by July 31 2019 with the exception of recommendation 2 (31 December 2019) and recommendation 1 (July 31 2020).