An audit by the Department of Homeland Security’s Office of Inspector General (OIG) found FEMA has not implemented federally mandated IT management practices essential for effective oversight of its IT environment.
Specifically, the audit noted that FEMA has not established an IT strategic plan, architecture, or governance framework to facilitate day-to-day management of its aging IT systems and equipment.
OIG attributes these deficiencies to the FEMA Chief Information Officer’s limited authority to manage IT agency-wide, as well as to a decentralized resource allocation approach that hinders funding for the centralized IT environment.
The audit also found FEMA has not provided its personnel with the IT systems necessary to support response and recovery operations effectively. FEMA’s legacy IT systems are not integrated and lack the functionality needed to keep pace with high-volume processing. Additionally, the systems FEMA personnel rely on for situational awareness and emergency response coordination do not always contain real-time data nor do they support information sharing with external partners.
OIGs attributes these deficiencies to an inadequate focus on funding to support IT modernization efforts. As a result, field personnel engage in time-consuming, manual processes to accomplish mission tasks. For example, following the hurricanes and wildfires in 2017, some FEMA personnel used their personal laptop computers in place of FEMA’s official systems to keep pace with mission requirements.
FEMA received more than 17,000 public assistance grants applications in 2017. OIG says the systems used to manage public assistance grants were incapable of performing critical functions like identifying multiple funding allocations for the same grant, which could result in duplicate payments to applicants. To prevent this, grants staff from a regional office had to manually review each grant in multiple systems to verify that duplicate funding requests were not submitted. This systematic inefficiency resulted in grant disbursement delays of 8 months or longer in that region.
Furthermore, OIG found that systems such as the FEMA data warehouse failed to provide situational awareness, adequate storage capacity, and up to date data.
Many of the deficiencies noted in OIG’s August 27 report have been found and reported in prior audits throughout the last 13 years. FEMA’s annual IT spending of less than $500 million represents less than 10 percent of FEMA’s $4.98 billion discretionary budget and OIG says funding has historically fallen short of the amount needed to modernize FEMA’s IT enterprise while continuing to support routine IT operations and maintenance. The audit found at least 70 percent of FEMA’s $396 million IT budget for FY 2018 had been obligated to support FEMA’s aging IT infrastructure. As a result, it was not able to implement major efforts to update legacy IT systems or improve systems capabilities.
Officials told OIG that approximately 70 percent of FEMA IT assets were functioning beyond end-of-life standards and more than 80 percent of FEMA’s core network infrastructure and disaster infrastructure equipment was 10 to 20 years old and needed to be upgraded or replaced.
As a result of the numerous IT deficiencies, FEMA relied on manual workarounds. Following Hurricane Harvey in August 2017, more than 900 personnel were deployed to the field to help survivors with disaster assistance registrations. These personnel gathered survivor information using a mobile application; however, the application was often unavailable due to insufficient capacity to support the extremely high volume of users. To overcome this frequent challenge, field staff had to complete their work during off-hours when system use decreased. Field teams purchased commercial maps to track where they had gone each day, since such data could not be recorded during periods when the system was unavailable. This location data had to be keyed in when FEMA’s reporting tool became available for use. The widespread problems with system availability resulted in field officials directing teams to recanvas areas already visited, which wasted time and caused delays in collecting survivor registrations, responding to case inquiries, and reporting case updates.
Following Hurricane Irma in September 2017, JFO staff in Florida used a Microsoft Access database and at least 20 spreadsheets to manage temporary housing data for local survivors. This became necessary early during response operations when FEMA’s emergency management information system (NEMIS) proved incapable of effectively tracking application data and other specific housing information, resulting in inaccurate reporting and a need for data adjustments. To address this problem, staff used a central dashboard to enter data outside of NEMIS. Staff also used spreadsheets to log data such as trailers ready for occupancy and site inspection results. Performing this work outside of NEMIS led to even more inaccurate and inconsistent housing data, which resulted in misreporting at national daily briefings that adversely affected field office credibility. Additionally, the field office’s ability to make informed planning decisions, identify supply and demand, and authorize individual housing solutions during Hurricane Irma response operations was impaired.
FEMA concurred with OIG’s recommendations. First, that it will provide the Office of the Chief Information Officer with the necessary authority and resources to implement required IT management practices in accordance with Federal mandates. FEMA will also create a capabilities analysis report by May 31 2020.
To meet OIG’s second recommendation, FEMA will promote IT planning and management as an agency-wide priority by establishing a policy to implement and enforce a centralized IT investment management framework by June 30 2020.
Third, FEMA will direct a strategic planning effort to define the agency’s vision for IT, along with a funding plan, to demonstrate how FEMA will direct investments to better align IT resources with agency and mission priorities by May 31 2020.
Finally, by April 30 2020, FEMA will develop a systems modernization approach that includes a plan for resolving IT integration, information sharing, and reporting deficiencies.
While these measures, if implemented, will go a long way to overcoming the IT deficiencies within FEMA, the agency must first come through this hurricane season, one that currently threatens the southeastern United States with the most powerful storm in decades.