Skip to main content

Information Technology: FEMA Needs to Address Management Weaknesses to Improve Its Systems

GAO-16-306 Published: Apr 05, 2016. Publicly Released: May 05, 2016.
Jump To:
Skip to Highlights

Highlights

What GAO Found

The Federal Emergency Management Agency (FEMA) faces the following challenges in ensuring that its information technology (IT) programs adequately support the agency's ability to respond to major disasters:

Governance and oversight: FEMA established an investment review board to select and oversee IT investments, as called for by leading practices. But the board has not fully defined roles and responsibilities of key members, working groups, and individuals, and it does not have clearly defined procedures for selecting and overseeing investments. As a result, the agency lacks adequate visibility into and oversight of IT investment decisions and activities.

IT modernization: FEMA has begun to take steps to modernize its IT environment, but key planning documents are not current and complete. For example, the agency has an IT strategic plan and is currently drafting its modernization plan; however, the plans do not reflect the agency's current goals and objectives. Further, the IT strategic plan describes the Chief Information Officer's (CIO) mission, goals, and objectives through fiscal year 2016, but has not been updated since 2013. In addition, while the Office of the CIO is currently drafting the agency's IT modernization plan, including an implementation strategy and an overall schedule, it is not yet final. As a result, the agency is limited in its ability to move toward its goal to modernize its systems and eliminate duplicative IT investments.

Workforce planning: The agency has not yet established time frames to address long-standing workforce management challenges. For example, while it conducted a workforce assessment to identify skill levels of employees in the agency's Office of the CIO, it has not completed recommended actions called for by this assessment. In addition, its workforce planning efforts have not included an assessment of the many IT staff located in the agency's regions and other offices. Consequently, FEMA has less assurance that its IT workforce will have the skills needed to successfully manage its programs.

None of the three emergency management programs GAO selected for this review had fully implemented key IT management controls in the areas of risk management, requirements development, project planning, and systems testing and integration. Specifically, the three selected emergency management programs inconsistently implemented these practices by, for example, not always developing adequate risk mitigation plans, establishing processes for requirements management, developing and updating schedules and cost estimates, and ensuring complete and adequate system testing along with systems integration plans. These weaknesses were due, in part, to a lack of FEMA policies to guide programs in implementing these key IT management controls. Until FEMA fully establishes and implements such policies and controls, it has limited assurance that these programs will cost-effectively support its disaster response efforts.

Why GAO Did This Study

FEMA, a component agency of the Department of Homeland Security (DHS), leads federal efforts to mitigate, respond to, and recover from disasters. In the wake of Hurricane Katrina, the largest natural disaster in U.S. history, Congress passed the Post-Katrina Emergency Management Reform Act of 2006. This act required FEMA to address shortcomings identified in the preparation for and response to Katrina, including improving the agency's IT programs, which are critical to its ability to respond to natural disasters and other emergencies.

GAO was asked to review FEMA's IT system improvement efforts. This report (1) identifies challenges to ensuring the agency's IT systems adequately support its disaster response efforts and (2) assesses the extent to which FEMA has implemented key IT management controls for selected emergency management programs. GAO analyzed FEMA documentation (e.g., FEMA's Hurricane Sandy After-Action Report), interviewed officials, and assessed its implementation of IT management best practices for three selected programs.

Recommendations

GAO recommends that FEMA fully define its investment board's roles and responsibilities and procedures for selecting and overseeing investments, update its strategic plan and complete plans for IT modernization, and establish time frames for completing workforce planning efforts. FEMA should also establish policies and guidance for implementing key IT management controls. DHS concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to ensure that the IT Governance Board has fully defined and implemented its roles and responsibilities for key boards, working groups, and individuals, and procedures for selecting and overseeing IT investments.
Closed – Implemented
The Department of Homeland Security concurred with this recommendation. In response, the department implemented the recommendation by establishing an IT Governance Board (ITGB) that serves as the primary structure for the Federal Emergency Management Agency's (FEMA) IT decision-making process. FEMA's ITGB charter defines the roles and responsibilities; as well as the procedures and guidelines for selection and management of the agency's IT Investment Portfolio. As a result, FEMA has better visibility into and oversight of the agency's IT investment decisions and activities.
Department of Homeland Security To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.
Closed – Implemented
The Department of Homeland Security implemented this recommendation. FEMA updated its "Information Technology Strategic Plan for Fiscal Years 2020-2024". The plan includes FEMA's IT mission, vision, and goals that support and align with FEMA's and the Department of Homeland Security's strategic goals. One of the strategic objectives is to "build the future IT enterprise" by investing and leveraging advances in technology to improve operational capabilities for FEMA stakeholders and modernization of FEMA's infrastructure to include providing Zero Trust network architecture as well as secure cloud-enabled or cloud-ready options throughout FEMA. As a result, the agency has a greater ability to move toward its goal to modernize its systems and eliminate duplicative IT investments.
Department of Homeland Security To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.
Closed – Implemented
The Department of Homeland Security has implemented this recommendation. FEMA updated its "Information Technology Strategic Plan for Fiscal Years 2020-2024" with a strategic objective to "Enhance IT Workforce Capabilities and Stakeholder IT experiences". The goals of this objective include enhancing its IT Workforce capabilities by becoming a partner of choice, strengthening the skills of its workforce, and fostering collaboration across the agency and with external partners. In addition, FEMA is developing a related document with metrics and targets to meet these goals. As a result of the improved planning, FEMA should be better positioned to assess the skills its workforce will need in the future.
Federal Emergency Management Agency To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the Disaster Assistance Improvement Program (DAIP), Emergency Management Mission Integrated Environment (EMMIE), and Integrated Public Alert and Warning System (IPAWS) program offices, in conjunction with the FEMA CIO, to implement a robust risk management process that identifies potential problems before they occur.
Closed – Implemented
The Department of Homeland Security concurred with the recommendation. In response to our recommendation, FEMA implemented a risk management process to support the agency in identifying potential problems before they occur. For example, the agency's risk management approach which is aligned with the DHS System Engineering Life Cycle and the Project Management Body of Knowledge Guide, follows a seven-step approach that addresses risk planning, identification, analysis and prioritization, mitigation, monitoring and closure. As a result, the agency should be better positioned to properly manage all program risks.
Federal Emergency Management Agency To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a requirements management process to ensure requirements are well defined.
Closed – Implemented
The Department of Homeland Security concurred with our recommendation. In response, FEMA implemented a requirements management process that generally addressed the weaknesses identified in our report. For example, FEMA's requirements management process includes guidance on eliciting stakeholder needs and transforming them into prioritized customer requirements; analyzing requirements to ensure that they are complete and verifiable; and validating the system as it is being developed. In addition, the process identifies how business, functional, and technical requirements will be identified, analyzed, documented and managed for each project. As a result, the agency should be better positioned to develop systems that will provide functionality that meets users' needs.
Federal Emergency Management Agency To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement complete program plans that define overall budget and schedule, key deliverables and milestones, assumptions and constraints, description and assignment of roles and responsibilities, staffing and training plans, and an approach for maintaining these plans.
Closed – Implemented
The Department of Homeland Security concurred with our recommendation and in response updated its program management plans that support the program offices of the Disaster Assistance Improvement Plan, Emergency Management Mission Integrated Environment, and Integrated Public Alert and Warning System. In June 2017, the department provided the program plans that addressed the weaknesses we identified in our report. For example, these program management plans identified and described the overall program management processes and methods to be used during all phases of projects and defined key deliverables and milestones, roles and responsibilities, staffing and training and an approach for maintaining the plans. Additionally, the plans defined the knowledge and skills needed to carry out the program and defined the overall budget and schedule for the programs under review. As a result, the program offices are able to ensure that the programs will be effectively implemented and managed.
Federal Emergency Management Agency To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a system integration plan that include all systems to be integrated with the system, roles and responsibilities for all relevant participants, the sequence and schedule for every integration step, and how integration problems are to be documented and resolved.
Closed – Implemented
The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department reported that the system owner for DAIP, EMMIE, and IPAWS programs have updated their respective system integration plans to address the risks identified within the recommendation. In addition, the agency provided documentation such as the IPAWS Integrated Logistics Support Plan, as well as the quality control plan, and test execution plans for both the DAIP and EMMIE programs. Furthermore, in August 2018, the department provided evidence on the roles and responsibilities for all relevant participants, and how integration problems are to be documented and resolved. As a result, the department can ensure that it is identifying all systems to be integrated and describing how integration problems are to be documented and resolved.
Federal Emergency Management Agency As part of the effort of improving IT management at the three programs, the FEMA Administrator should direct the CIO to ensure that FEMA policy for managing IT programs includes guidance for implementing the key management practices.
Closed – Implemented
The Department of Homeland Security has implemented the recommendation. In March 2020, FEMA issued Directive 140-1 which improves IT management by establishing the authorities, responsibilities, and policies of FEMA CIO. A component of this directive included key management practices in the areas of acquisition, development, testing, and sustainment. These practices are to be followed by all FEMA IT programs including the three programs that GAO reviewed. By issuing Directive 140-1, FEMA has greater assurance that the three programs will cost-effectively support its disaster response efforts.

Full Report

Office of Public Affairs

Topics

Emergency managementHuman capital planningInformation technologyInternal controlsIT investment managementProgram evaluationProgram managementRequirements definitionRisk managementStaff utilizationStrategic planningTechnology modernization programsPolicies and proceduresWorkforce planningIT managementIT investments