This is the accessible text file for GAO report number GAO-11-297 
entitled 'FEMA: Action Needed to Improve Administration of the 
National Flood Insurance Program' which was released on June 9, 2011. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Committees: 

June 2011: 

FEMA: 

Action Needed to Improve Administration of the National Flood 
Insurance Program: 

GAO-11-297: 

GAO Highlights: 

Highlights of GAO-11-297, a report to congressional committees. 

Why GAO Did This Study: 

The National Flood Insurance Program (NFIP) has been on GAO’s high-
risk list since March 2006 because of concerns about its long-term 
financial solvency and related operational issues. Significant 
management challenges also affect the Federal Emergency Management 
Agency’s (FEMA) ability to administer NFIP. This report examines (1) 
the extent to which FEMA’s management practices affect the 
administration of NFIP; (2) lessons learned from the cancellation of 
FEMA’s attempt to modernize NFIP’s insurance management system; and 
(3) limitations on FEMA’s authority that could affect NFIP’s financial 
stability. To do this work, GAO reviewed internal control standards 
and best practices, analyzed agency documentation, reviewed previous 
work, and interviewed relevant agency officials. 

What GAO Found: 

FEMA faces significant management challenges in areas that affect 
NFIP, including strategic and human capital planning; collaboration 
among offices; and records, financial, and acquisition management. For 
example, because FEMA has not developed goals, objectives, or 
performance measures for NFIP, it needs a strategic focus for ensuring 
program effectiveness. FEMA also faces human capital challenges, 
including high turnover and weaknesses in overseeing its many 
contractors. Further, FEMA needs a plan that would ensure consistent 
day-to-day operations when it deploys staff to federal disasters. FEMA 
has also faced challenges in collaboration between program and support 
offices. Finally, FEMA lacks a comprehensive set of processes and 
systems to guide its operations, in particular a records management 
policy and an electronic document management system. FEMA has begun to 
address some of these challenges, including acquisition management, 
but the results of its efforts remain to be seen. Unless it takes 
further steps to address these management challenges, FEMA will be 
limited in its ability to manage NFIP’s operations or better ensure 
program effectiveness. 

FEMA also faces challenges modernizing NFIP’s insurance policy and 
claims management system. After 7 years and $40 million, FEMA 
ultimately canceled its latest effort (NextGen) in November 2009 
because the system did not meet user expectations. As a result, the 
agency continues to rely on an ineffective and inefficient 30-year old 
system. A number of acquisition management weaknesses led to NextGen’s 
failure and cancellation, and as FEMA begins a new effort to modernize 
the existing legacy system, it plans to apply lessons learned from its 
NextGen experience. While FEMA has begun implementing some changes to 
its acquisition management practices, it remains to be seen if they 
will help FEMA avoid some of the problems that led to NextGen’s 
failure. Developing appropriate acquisitions processes and applying 
lessons learned from the NextGen failure are essential if FEMA is to 
develop an effective policies and claims processing system for NFIP. 

Finally, NFIP’s operating environment limits FEMA’s ability to keep 
the program financially sound. NFIP assumes all risks for its 
policies, must accept virtually all applicants for insurance, and 
cannot deny coverage for high-risk properties. Moreover, additional 
external factors—-including lapses in NFIP’s authorization, the role 
of state and local governments, fluctuations in premium income, and 
structural and organizational changes-—complicate FEMA’s 
administration of NFIP. As GAO has previously reported, NFIP also 
faces external challenges that threaten the program’s long-term 
health. These include statutorily required subsidized premium rates, a 
lack of authority to include long-term erosion in flood maps, and 
limitations on FEMA’s authority to encourage owners of repetitive loss 
properties to mitigate. Until these issues are addressed, NFIP’s long-
term financial solvency will remain in doubt. 

What GAO Recommends: 

GAO makes 10 recommendations to improve the effectiveness of FEMA’s 
planning and oversight efforts for NFIP; improve FEMA’s policies and 
procedures for achieving NFIP’s goals; and increase the usefulness and 
reliability of NFIP’s flood insurance policy and claims processing 
system. GAO also presents three matters for congressional 
consideration to improve NFIP’s financial stability. DHS concurred 
with all of GAO’s recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-11-297] or key 
components. For more information, contact Orice Williams Brown at 
(202) 512-8678 or williamso@gao.gov. 

[End of section] 

Contents: 

Letter1: 

Background: 

Opportunities Exist to Improve FEMA's Management of NFIP: 

Acquisition Management Weaknesses Led to Cancellation of NFIP's System 
Modernization Project and Offer Lessons for Future Modernization 
Efforts: 

NFIP's Operating Environment and External Factors Complicate 
Administration of the Program, and FEMA Lacks Authority in Areas 
Critical to Its Long-term Financial Health: 

Conclusions: 

Recommendations for Executive Action: 

Matters for Congressional Consideration: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Table: 

Table 1: Summary of NextGen Application Test Plans' Satisfaction of 
Key Elements of Relevant Guidance: 

Figure: 

Figure 1: FEMA Organizational Chart: 

Abbreviations: 

ARB: Acquisition Review Board: 

CFO: Chief Financial Officer: 

CIO: Chief Information Officer: 

COTR: Contracting Officer's Technical Representative: 

C&A: certification and accreditation: 

DHS: Department of Homeland Security: 

FEMA: Federal Emergency Management Agency: 

FIMA: Federal Insurance and Mitigation Administration: 

FISMA: Federal Information Security Management Act of 2002: 

FREE: Flood Rating Engine Environment: 

F2M: Flood Financial Management: 

GIS: Geospatial Information System: 

GPRA: Government Performance and Results Act of 1993: 

IFMIS: Integrated Financial Management Information System: 

IT: information technology: 

NAPA: National Association of Public Administration: 

NARA: National Archives and Records Administration: 

NextGen: Next Generation Flood Insurance Management System: 

NFIP: National Flood Insurance Program: 

OCAO: Office of the Chief Administrative Officer: 

OCCHCO: Office of the Chief Component Human Capital Officer: 

OCFO: Office of the Chief Financial Officer: 

OCIO: Office of the Chief Information Officer: 

OCPO: Office of the Chief Procurement Officer: 

OIG: Office of the Inspector General: 

OPPA: Office of Policy and Program Analysis: 

PFT: permanent full-time: 

PKEMRA: Post-Katrina Emergency Management Reform Act of 2006: 

PRP: Preferred Risk Policy: 

RiskMAP: Risk Mapping Assessment and Planning: 

SFHA: special flood hazard area: 

SQANet: Simple and Quick Access Net: 

Treasury: Department of the Treasury: 

TRRP: Transaction Record Reporting Process: 

WYO: write your own: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

June 9, 2011: 

The Honorable Tim Johnson:
Chairman:
The Honorable Richard C. Shelby:
Ranking Member:
Committee on Banking, Housing and Urban Affairs:
United States Senate: 

The Honorable Spencer Bachus:
Chairman:
The Honorable Barney Frank:
Ranking Member:
Committee on Financial Services:
House of Representatives: 

The National Flood Insurance Program (NFIP), which is administered by 
the Federal Emergency Management Agency (FEMA) within the Department 
of Homeland Security (DHS), is a key component of the federal 
government's efforts to minimize the damage and financial impact of 
floods and is the only source of insurance against flood damage for 
most residents of flood-prone areas. Until 2004, NFIP was able to 
cover most of its claims with premiums it collected and occasional 
loans from the Department of the Treasury (Treasury) that were repaid. 
However, after the 2005 hurricanes--primarily Hurricane Katrina--the 
program borrowed $16.8 billion from Treasury to cover the 
unprecedented number of claims. NFIP has subsequently borrowed 
additional funds from Treasury to make interest payments on this debt 
and, as of March 2011, owed approximately $17.8 billion. Because of 
structural weaknesses in the way the program is funded and operated, 
NFIP is unlikely to be able to repay this debt in the near future, if 
ever. 

As a result of the program's importance, level of indebtedness, and 
potential for future losses, we placed NFIP on our high-risk list in 
March 2006.[Footnote 1] In earlier reports, we identified a number of 
operational challenges that hindered FEMA's ability to effectively 
administer NFIP and contributed to NFIP's placement on the list. For 
example, we found internal control weaknesses in FEMA's oversight of 
the write-your-own (WYO) insurers that are key to NFIP operations and 
that have received payments representing one-third to two-thirds of 
the premiums collected. We also found problems with the oversight of 
contractors responsible for performing key NFIP functions such as 
collecting NFIP data and marketing the program. 

Because of the risks and challenges facing NFIP and the financial and 
operational weaknesses we had identified, we undertook a review to 
look for potential underlying management weaknesses that, if 
addressed, might improve the operation and functioning of the program. 
Specifically, our objectives were to (1) analyze the extent to which 
FEMA's key management practices--including strategic planning, human 
capital planning, intra-agency collaboration, records management, 
financial management, and acquisition management--affect the agency's 
ability to administer NFIP; (2) identify lessons to be learned from 
the cancellation of its most recent attempt to modernize NFIP's flood 
insurance policy and claims processing system, including to what 
extent key acquisition management processes were followed; and (3) 
describe factors that are relevant to NFIP operations and analyze 
limitations on FEMA's authority that could affect its financial 
stability. 

To address these objectives, we collected available data from FEMA and 
conducted over 80 interviews with representatives from FEMA and their 
relevant bureaus or divisions. We also interviewed representatives of 
DHS's Office of the Inspector General, the National Association of 
Public Administration (NAPA), and KPMG LLP. These interviews allowed 
us to gather further insights into management challenges that affect 
NFIP.[Footnote 2] In addition, we analyzed planning documents, 
policies, directives, materials, and data related to program, human 
capital, records, acquisition, and financial management. In the areas 
of human capital and financial management, we assessed the data 
provided to us and found it to be sufficiently reliable for the 
purposes of our report. The remaining audit work did not require a 
data assessment. Further, we reviewed relevant legislation, internal 
control standards, best practices, and external studies of FEMA's 
management challenges. We compared the information we obtained on 
NFIP's policies and procedures to relevant criteria developed by GAO 
and others. To determine the lessons to be learned from the 
NextGeneration Flood Insurance Management System (NextGen) program's 
cancellation and to what extent key acquisition management processes 
were followed on NextGen, we analyzed a range of program documentation 
and interviewed cognizant program and contractor officials relevant to 
the following acquisition management disciplines: requirements 
development and management, test management, risk management, program 
oversight, and human capital management. For each discipline, we 
compared key program documentation, such as the concept of operations 
document; test plans for functional, regression, and usability 
testing; and NextGen application summary test reports, and risk 
management and program management plans. To identify external factors 
that affect NFIP's ability to carry out its mission, we reviewed our 
previous reports that analyzed various aspects of NFIP's policies, 
practices, and organizational structure, identifying factors that 
affected NFIP's operations but over which NFIP did not have control. 
To determine whether and to what extent the factors identified in 
these reports were still affecting NFIP's operations, and to identify 
any additional factors, we interviewed knowledgeable FEMA 
representatives and reviewed relevant testimony of FEMA officials 
before Congress. Appendix I provides additional details about our 
scope and methodology. 

We conducted this performance audit from July 2009 to June 2011 in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. The evidence 
we obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Background: 

Overview of the National Flood Insurance Program: 

The National Flood Insurance Act of 1968 established NFIP as an 
alternative to providing direct disaster relief after floods.[Footnote 
3] NFIP, which makes federally backed flood insurance available to 
homeowners and businesses, was intended to reduce the federal 
government's escalating costs for repairing flood damage after 
disasters. Floods are the most common and destructive natural disaster 
in the United States. In fact, according to NFIP statistics, 90 
percent of all national disasters in the United States have involved 
flooding. However, flooding is generally excluded from homeowners' 
policies that typically cover damages from other losses, such as wind, 
fire, and theft. Because of the catastrophic nature of flooding and 
the inability to adequately predict flood risks, historically, private 
insurance companies have largely been unwilling to underwrite and bear 
the risk that results from providing primary flood insurance coverage. 
Under NFIP, the federal government assumes the liability for the 
insurance coverage and sets rates and coverage limitations, among 
other responsibilities, while the private insurance industry sells the 
policies and administers the claims for a fee determined by FEMA. 

As of January 2011, 21,361 communities across the United States and 
its territories participated in NFIP by adopting and agreeing to 
enforce state and community floodplain management regulations to 
reduce future flood damage. In exchange, NFIP makes federally backed 
flood insurance available to homeowners and other property owners in 
these communities. Homeowners with mortgages from federally regulated 
lenders on property in communities identified to be in high-risk 
special flood hazard areas (SFHA) are required to purchase flood 
insurance on their dwellings for at least the outstanding mortgage 
amount. Optional lower-cost coverage is also available under NFIP to 
protect homes in areas of low to moderate risk. To insure furniture 
and other personal property items against flood damage, homeowners may 
purchase separate NFIP personal property coverage. Although premium 
amounts vary according to the amount of coverage purchased and the 
location and characteristics of the insured property, the average 
yearly premium was around $620 as of October 2010.[Footnote 4] 

NFIP is designed to pay operating expenses and flood insurance claims 
with premiums collected on flood insurance policies rather than with 
tax dollars. However, FEMA has statutory authority to borrow funds 
from Treasury to keep NFIP solvent in years when losses are high. 
NFIP, by design, is not actuarially sound because Congress authorized 
subsidized insurance rates to be made available for policies covering 
certain structures to encourage communities to join the program. As a 
result, NFIP is not able to build reserves to cover losses that exceed 
the historic averages. 

Management of the National Flood Insurance Program: 

NFIP is managed by FEMA's Federal Insurance and Mitigation 
Administration (FIMA), with administrative support from FEMA's Mission 
Support Bureau (see figure 1). DHS provides management direction by 
issuing guidance and working to integrate its various management 
processes, systems, and staff within and across its management areas. 
[Footnote 5] Around 330 FEMA employees, assisted by contractor 
employees, manage and oversee NFIP and the National Flood Insurance 
Fund, into which premiums are deposited and from which claims and 
expenses are paid. Their management responsibilities include 
establishing and updating NFIP regulations, analyzing data to 
determine flood insurance rates, and offering training to insurance 
agents and adjusters. In addition, FIMA and its program contractors 
are responsible for monitoring and overseeing the performance of the 
WYO insurance companies to help ensure that NFIP is administered 
properly.[Footnote 6] 

FIMA receives administrative and management support as well as 
direction on program operations from FEMA's Mission Support Bureau 
offices, including the Office of the Chief Administrative Officer 
(OCAO), Office of the Chief Component Human Capital Officer (OCCHCO), 
Office of the Chief Financial Officer (OCFO), Office of the Chief 
Information Officer (OCIO), and Office of the Chief Procurement 
Officer (OCPO).[Footnote 7] In addition, FEMA's Office of Policy and 
Program Analysis (OPPA) serves a collaborative support role to provide 
leadership, analysis, coordination, and decision-making support on 
agency policies, plans, programs, and key initiatives. While Mission 
Support and OPPA provide important services to FIMA, their 
responsibilities do not include comprehensive oversight of FIMA or 
NFIP. 

Figure 1: FEMA Organizational Chart: 

[Refer to PDF for image: organizational chart] 

Top level: 
Department of Homeland Security (DHS). 

Second level reporting to DHS: 
Federal Emergency Management Agency (FEMA). 

Third level, reporting to FEMA: 
Office of the Chief Financial Officer; 
Office of Equal Rights; 
Office of External Affairs; 
Office of Disability Integration and Coordination; 
Office of REgional Operations; 
Law Enforcement Advisor; 
Office of Policy and Program Analysis. 

Fourth level, reporting to FEMA (support services): 
Regions I-X; 
U.S. Fire Administration; 
Response and Recovery; 
Protection and National Preparedness; 
Mission Support Bureau: 
- Office of the Chief Administrative Officer (OCAO); 
- Office of the Chief Component Human Capital Officer (OCCHCO); 
- Office of the Chief Information Officer (OCIO); 
- Office of the Chief Procurement Officer (OCPO); 
- Office of the Chief Security Officer (OCSO); 
Federal Insurance and Mitigation Administration (FIMA); FIMA is 
responsible for administering NFIP: 
- Office of Environmental Planning and Historic Preservation; 
- Regional Operations Regional and Disaster Support Branch; 
- Policy, Resources, and Communication Branch; 
- Risk Analysis Division; 
- Risk Insurance Division; 
- Risk Reduction Division. 

Source: GAO. 

[End of figure] 

Opportunities Exist to Improve FEMA's Management of NFIP: 

We found a number of management practices that could be improved to 
help FEMA more effectively administer NFIP. First, FEMA has not 
provided FIMA with strategic direction and guidance for administering 
NFIP and therefore lacks the starting point necessary to develop 
performance measures for assessing the program's effectiveness. 
Second, FEMA faces a number of human capital challenges, including 
developing a strategic human capital plan that addresses mitigating 
high turnover, hiring, and overseeing contractors that play a key role 
in NFIP. Moreover, it has yet to adequately address managing the day-
to-day operations when deploying staff to respond to federal 
disasters. Third, collaboration among offices within FEMA that are 
responsible for administering NFIP has at times been ineffective, 
leading to challenges in effectively carrying out some key functions. 
In particular, FIMA, the office that administers NFIP, and FEMA 
Mission Support, which provides mission-critical functions such as 
information technology (IT), acquisition, and financial management, 
have had difficulties collaborating on these functions. Finally, FEMA 
does not have a comprehensive set of policies, procedures, and systems 
to guide its operations. Specifically, it lacks an updated records 
management policy, procedures to effectively manage unliquidated 
obligations, and a fully developed and implemented documentation of 
its business processes. FEMA has begun taking steps to improve its 
acquisition management and document some of its business processes, 
but as they were recently implemented or still in progress, the 
results of these efforts have yet to be realized. Unless it takes 
further steps to address these management challenges, FEMA will be 
limited in its ability to manage NFIP's operations or ensure program 
effectiveness. 

A More Comprehensive Strategic Framework Would Improve FEMA's 
Administration of NFIP: 

FEMA published its most recent agencywide strategic plan in February 
2011, but the plan did not clearly lay out how and where NFIP's 
mission and activities fit within FEMA's own goals and 
objectives.[Footnote 8] The Government Performance and Results Act of 
1993 (GPRA) requires agencies to submit a strategic plan containing a 
number of components, including a comprehensive mission statement, 
long-term goals and objectives for major operations, and strategies 
for achieving these goals and objectives.[Footnote 9] Further, we have 
reported that an agency's strategic planning effort is the most 
important element in results-oriented management and serves as the 
foundation for defining what the agency seeks to accomplish, 
identifying strategies to achieve desired results, and determining how 
well it succeeds in reaching its goals and objectives.[Footnote 10] 
Leading results-oriented organizations focus on the dynamic and 
inclusive process of strategic planning, rather than on a strategic 
planning document, to provide a foundation for day-to-day activities 
and foster communication between the organization and its 
stakeholders. Moreover, the committee report accompanying GPRA stated 
that clear and precise goals enable an organization to maintain a 
consistent sense of direction regardless of the leadership changes 
that can occur frequently across the federal government.[Footnote 11] 

NFIP is a major operation with $1.2 trillion in coverage and $17.8 
billion in debt that has remained on GAO's high-risk list since 2006. 
FEMA officials told us that FEMA chose not to prescribe goals and 
objectives for specific programs in its strategic plan as required by 
GPRA. They said that the agency chose a different strategic approach 
that would allow for more flexibility, something that was needed 
because FEMA must respond to emergencies as they occur. While FEMA may 
require flexibility in its operating environment, as a federal 
insurance program NFIP requires a more structured framework to help 
ensure that its operations are properly managed and allow for the 
development of effective performance measures. Unless FEMA provides 
FIMA with strategic direction and guidance for administering NFIP, the 
program risks not having a strategic focus that is aligned with agency 
goals and objectives or effective performance measures. 

FIMA officials told us they were in the process of developing a 
strategy for mitigation and insurance but did not provide a specific 
timeline for completing or implementing it and did not provide details 
of what it might include. FIMA officials said they began developing 
the strategy in June 2010 and had created a steering committee with 
about 15 members representing various areas within FIMA. The committee 
held a summit with a number of stakeholders in November 2010 to 
validate the proposed mission, goals, and objectives of the 
organization before entering the drafting process and expect to 
eventually publish the final strategy in the summer of 2011. Because 
these efforts have not yet been completed, whether the strategy will 
include adequate goals and objectives for administering and managing 
NFIP remains to be seen. Without goals and objectives and a firm 
timeline for completing them, NFIP will continue to lack a strategic 
direction. 

FIMA officials said they had relied on other documents for strategic 
guidance, including FEMA-and DHS-level guidance and the agency's 
general mission--managing risks from all natural hazards to help free 
America from the burden of such disasters. However, without specific 
agency-or program-level goals, FIMA cannot ensure that any performance 
measures it develops for NFIP properly and adequately measure the 
program's success. According to GPRA, agencies should establish 
performance indicators to be used in measuring and assessing the 
relevant outputs, service levels, and outcomes of each program 
activity. Moreover, GAO's Standards for Internal Control in the 
Federal Government states that management should ensure that agencies 
establish and review performance measures and indicators.[Footnote 12] 
As we have reported, performance goals and measures that successfully 
address important and varied aspects of program performance are key to 
a results-oriented work environment.[Footnote 13] Measuring 
performance allows organizations to track the progress they are making 
toward their goals and gives managers critical information on which to 
base decisions for improving their programs. We have also reported 
that successful performance measures are, among other things, linked 
to core program activities.[Footnote 14] 

FIMA officials said that in recent years they had generally relied on 
five performance measures for NFIP that they reviewed quarterly: 

* Percentage of the U.S. population (excluding territories) covered by 
local hazard mitigation plans that had been approved or were pending 
adoption. 

* Percentage of the national population whose safety had been improved 
through the availability of flood risk data in Geospatial Information 
System (GIS) format. 

* Number of communities taking or increasing actions to reduce their 
risk from natural disasters. 

* Potential property losses, disasters, and other costs avoided. 

* NFIP premium income per $100 dollars of combined operating expense 
and historical losses paid.[Footnote 15] 

However, FIMA recently revised its operating plan, which FIMA 
officials said aligns resources to major activities and provides 
transparency to FIMA's performance. In this revision, FIMA replaced 
the five measures with 11 new performance measures aligned with DHS's 
mission and relevant DHS goals. FIMA said that these measures are 
still under development but that it began testing these measures in 
fiscal year 2011 and plans to officially require and report them in 
fiscal year 2012. They are grouped into three levels--strategic, 
management, and activity--indicating how they are expected to be used 
and which units will be gathering and reporting information in support 
of these performance measures. The measures relate to a range of 
FIMA's activities including mitigation effectiveness, mapping 
progress, and NFIP operating efficiency. 

However, FIMA has not had a set of strategic goals and objectives to 
guide its administration of NFIP. FIMA officials plan to include long- 
term goals and objectives in its upcoming strategic plan, but until 
this plan is complete and effectively implemented, FIMA will continue 
to be challenged by a lack of strategic focus and direction. Further, 
FIMA officials will be limited in their ability to understand and 
assess their effectiveness in administering NFIP and properly allocate 
its resources. Further, without a strategic plan specific to FIMA that 
incorporates specific goals and objectives for NFIP, determining 
whether FIMA's performance measures are aligned with and appropriately 
support FEMA's goals for NFIP is not possible. Without a robust set of 
goals and performance measures that are aligned and appropriately 
supported, FIMA is limited in its ability to monitor and hold 
management and staff accountable for program performance and take 
corrective actions as needed. 

FEMA Lacks a Strategic Human Capital Plan That Meets Statutory 
Requirements and Addresses the Agency's Human Capital Challenges, 
Including Those Affecting NFIP: 

The Post-Katrina Emergency Management Reform Act of 2006 (PKEMRA) 
required FEMA to develop a strategic human capital plan that included 
an assessment of the critical skills and competencies required for its 
workforce.[Footnote 16] While FEMA developed a 2008-2012 Strategic 
Human Capital Plan, we found that the plan did not meet PKEMRA's 
requirements. PKEMRA required that the plan include an assessment of 
(1) the critical skills and competencies that would be needed in the 
workforce during the 10-year period after the law was enacted; (2) the 
skills and competencies of the FEMA workforce and projected trends in 
that workforce based on the expected losses due to retirement and 
other attrition; and (3) staffing levels for each category of employee 
and gaps that should be addressed to ensure that FEMA has continued 
access to the necessary critical skills and competencies. In addition, 
PKEMRA requires FEMA to develop a "Plan of Action" to address gaps in 
critical skills and competencies, including: 

* specific goals and objectives for recruiting and retaining 
employees, such as recruitment and retention bonuses; 

* specific strategies and program objectives to develop, train, 
deploy, compensate, motivate, and retain employees; 

* specific strategies for recruiting staff with experience serving in 
multiple state agencies responsible for emergency management; and: 

* specific strategies to develop, train, and rapidly deploy a surge 
capacity force. 

FEMA's plan--including a 2010 Human Capital Operational Plan--did not 
address all PKEMRA requirements. For example, it did not define the 
critical skills and competencies that FEMA would need in the coming 
years or provide specific strategies and program objectives to 
motivate, deploy, and retain employees, among other things. In an 
October 2009 report, NAPA also stated that FEMA's plan did not meet 
certain PKEMRA requirements, which the report described as being 
focused on understanding and planning for the current and future 
workforce. NAPA also recommended that FEMA strengthen its human 
capital planning.[Footnote 17] One NAPA official noted that the 2008-
2012 Strategic Human Capital Plan is essentially a "plan to develop a 
workforce plan." 

We have noted in previous work that agencies should develop human 
capital strategies--including succession planning, training, and staff 
development--to eliminate gaps between current skills and competencies 
needed for mission success.[Footnote 18] FEMA's human capital plan 
does not have strategies to address retention challenges or 
contractors, among other things. For example, FEMA experiences 
frequent turnover in key positions and divisions that can result in 
lost productivity, a decline in institutional knowledge, and a lack of 
continuity for remaining staff. Within the past several years, key 
leadership has also changed within several key FEMA offices that 
support FIMA in some NFIP activities. For example OCCHCO has hired its 
third chief in the last 2 years. Further, FEMA has experienced 
turnover in several of the offices that provide critical mission 
support services to NFIP. For example, OCPO, which had 88 permanent 
full-time (PFT) staff at the beginning of FY 2007, had lost 59 
employees as of August 2010. FEMA staff told us the high turnover had 
resulted in the loss of institutional knowledge, specialized skills, 
and management continuity and efficiency. 

FEMA also faces challenges in hiring, which has been a major focus of 
its workforce operations. As of the third quarter of fiscal year 2010, 
approximately 876 of FEMA's 4,916 funded positions were unfilled. 
Further, both FEMA program officials and OCCHCO, which screens 
candidates, said that OCCHCO often sent candidates without the 
requisite skills forward to the program offices that typically make 
the final hiring decisions. OCCHCO officials told us that in several 
instances program offices had not properly aligned announcements and 
position descriptions, so that candidates appearing to meet the 
requirements of the position description did not meet the actual 
requirements of the position. OCCHCO officials added they were working 
to improve the situation. 

FEMA also lacks accurate data on its current staffing levels, largely 
because of IT issues, exacerbating the difficulties of workforce 
planning. In a 2009 review of OCCHCO, NAPA found that frequent 
shifting of organizational resources over the previous 6 years, the 
lack of a single system to track and account for the workforce, 
complexities associated with tracking multiple workforce categories, 
and problems with FEMA's human resource management system had hindered 
efforts to obtain complete and accurate human capital data for review. 
[Footnote 19] According to NAPA, these shortcomings had significant 
consequences in 2009, when FEMA established an informal hiring freeze 
because the number of staff hired exceeded authorized levels. In 2010, 
the Homeland Security Studies and Analysis Institute also found a 
discrepancy of around 700 filled positions between FEMA's manpower 
database and National Finance Center data.[Footnote 20] The institute 
found that the two most common discrepancies in employee data were 
errors involving on the employees' work unit and activities. OCCHCO 
officials said they had also experienced difficulties with human 
resource management systems. Most recently, in 2010 DHS deployed the 
Talent Link system to manage its human resource needs, but the system 
was found to be incompatible with government human resource systems 
and processes. As a result, a few months after Talent Link was 
deployed DHS phased it out and moved FEMA to the USA Staffing system. 

In addition, in spite of the importance of the work of contractors to 
NFIP's activities, FEMA does not centrally track the number of 
contractors or the type of work they do. For example, FIMA staff 
estimated that one of its divisions had as many as 10 contractors per 
FIMA staff member, and other FEMA staff said that they were unable to 
estimate the number of contractors. According to a FEMA Workforce 
Baseline Assessment conducted by the Homeland Security Studies and 
Analysis Institute, examining the federal workforce alone cannot fully 
assess FEMA's full human capital capability.[Footnote 21] The 
assessment went on to note that contract support must be considered in 
any discussion of FEMA staffing because contractors do not just 
supplement staff efforts but perform a substantial amount of FEMA's 
work. Unless FEMA tracks its contractors, it is severely limited in 
its ability to assess the total workforce and their respective roles 
and to plan for future staffing needs. However, pursuant to the 
Consolidated Appropriations Act of 2010, the head of DHS, which 
includes FEMA, is now required to prepare an annual inventory of 
service contracts it awards or extends through the exercise of an 
option.[Footnote 22] The initial inventory was due not later than 
December 31, 2010, and annually thereafter. As part of the inventory, 
DHS must include the number and work location of contractor and 
subcontractor employees expressed as full-time equivalents for direct 
labor, compensated under the contract.[Footnote 23] 

FEMA told us it had begun developing an initial workforce assessment 
that it planned to complete in 2012, but the agency is uncertain 
whether it will include contractors in this study. According to FEMA 
staff, a new strategic human capital plan is also under review, and 
therefore, FEMA could not provide us with a copy. As a result, we were 
unable to determine whether it addressed PKEMRA's requirements and the 
human capital challenges that NFIP faces. Without a human capital plan 
that, at a minimum, meets PKEMRA's requirements, includes a 
comprehensive workforce assessment that identifies staffing and skills 
requirements, addresses turnover and staff vacancies, and analyzes the 
use of contractors, FEMA will continue to have difficulty hiring and 
retaining staff and managing its contractors. 

Neither FEMA nor FIMA Has a Plan to Ensure That Key NFIP Operations 
Are Maintained When Staff Are Deployed During a Disaster: 

As we have previously reported, neither FEMA nor FIMA has a plan to 
help ensure that agency operations, including NFIP's, are maintained 
when a federal disaster is declared and staff are required to respond 
to it.[Footnote 24] Without such a plan, FEMA faces the risk that some 
critical day-to-day functions may not be performed while staff are 
deployed, limiting the agency's ability to provide the necessary 
support for disaster relief missions. In addition to their 
responsibilities for day-to-day operations, FEMA employees are also 
expected to be on call during disasters for potential assignment to 
disaster-related activities, including deployment to field operations. 
FEMA staff told us that neither FIMA nor FEMA had a program-specific 
or agencywide plan that covered all of its staff and functions, 
including NFIP. According to a FEMA official, while program offices 
have some ability to make decisions about how many mission-critical 
staff to deploy to the field during a disaster and how many to keep in 
their office positions, the current administrator has made it clear 
that when a disaster hits, the priority is to deploy staff to the 
field. 

As was the case with Hurricane Katrina, FEMA staff can be deployed for 
weeks or months and, during that time, are often performing duties in 
the field that take them away from their day-to-day responsibilities. 
According to a recent study by the Homeland Security Studies and 
Analysis Institute, FEMA staff found that operating normally during 
and immediately after a disaster was problematic due to staff 
deployment and an increased workload due to the disaster.[Footnote 25] 
For this reason, planning for business continuity management and 
deployment planning are particularly important for the agency. 
[Footnote 26] We previously reported that FEMA did not have guidelines 
on what constitutes a mission-critical position, had not conducted an 
assessment of the minimum level of support that would be necessary to 
keep the agency fully operational, and thus had limited guidelines for 
deciding who should be deployed.[Footnote 27] In addition, the report 
found that nearly 57 percent of FEMA's permanent employees who are 
deployable do not have assigned deployment job titles or roles that 
would facilitate deployment during a disaster. Without a plan for 
deploying staff during a disaster, FEMA faces the risk that critical 
functions, such as managing NFIP operations, may not be performed 
while staff are deployed to the field during a natural disaster, 
increasing the likelihood that the agency will be unable to provide 
the necessary support for disaster relief missions. 

Instances of Ineffective Collaboration between FIMA and Mission 
Support Have Complicated FEMA's Administration of NFIP: 

FIMA relies on Mission Support for a variety of mission-critical 
functions, including IT, acquisition, and financial management, but 
FIMA and Mission Support have faced challenges in collaborating with 
one another. In our prior work, we have identified eight practices 
that agencies can use to enhance and sustain their collaborative 
efforts: 

* Define and articulate a common outcome. 

* Establish mutually reinforcing or joint strategies. 

* Identify and address needs by leveraging resources. 

* Agree on roles and responsibilities. 

* Establish compatible policies, procedures, and other means to 
operate across agency boundaries. 

* Develop mechanisms to monitor, evaluate, and report on results. 

* Reinforce agency accountability for collaborative efforts through 
agency plans and reports. 

* Reinforce individual accountability for collaborative efforts 
through performance management systems.[Footnote 28] 

While these practices were originally developed for collaboration 
among federal agencies, they can apply to collaboration between FIMA 
and the offices that support it. 

Information Technology Systems Were Developed without Full 
Collaboration between FIMA and the Office of the Chief Information 
Officer: 

OCIO's stated function is to assist FEMA offices in IT development and 
to help ensure they follow the agency's established processes for IT 
system implementation. However, FIMA and OCIO faced challenges in 
agreeing on roles and responsibilities and establishing mutually 
reinforcing or joint strategies. For example, FIMA officials said they 
had experienced difficulty in the past getting timely approvals from 
OCIO for IT programs and contracts for NFIP and had sought ways to 
streamline the process, including using contractors rather than OCIO 
staff. FIMA officials also said that OCIO's certification and 
accreditation (C&A) process--which determines whether systems are 
certified to become operational--could be lengthy. They said they had 
to wait months for C&A approval for at least two mission-critical 
systems, one of which had been held up for about 9 months as of 
February 2010. One official said this problem had arisen because the 
C&A process lacked a formalized structure and communication between 
FIMA and OCIO was inadequate. OCIO officials acknowledged that some 
communication problems existed and said they were aware of FIMA's 
concerns. OCIO's primary concern, however, was that at times FIMA 
would perform IT functions independently from OCIO and believed that 
involving OCIO would help streamline IT development. For example, an 
OCIO official said that assessing and approving a $1 million 
investment would require 30 to 45 days. 

OCIO officials also said that 95 percent of FEMA's known systems were 
certified but noted that other systems, including some of FIMA's that 
affect NFIP, might have been developed independently of OCIO and thus 
lacked its approval. For example, in the past year OCIO discovered 
five FEMA human resources programs that were developed without its 
knowledge or involvement. OCIO now requires that all systems on FEMA's 
network complete the C&A process and be approved by the CIO, because 
undocumented systems can create risks that are difficult to correct. 
In accordance with the Federal Information Security Management Act of 
2002 (FISMA), OCIO is creating an inventory of IT systems for each of 
FEMA's offices. OCIO officials said that once the portfolio lists had 
been verified, OCIO would address the backlog of pending C&As. FEMA 
also developed an Acquisition Review Board (ARB) to help ensure that 
IT systems within the agency are developed with the CIO's involvement, 
because the acquisition system requires the CIO's approval at key 
points in the IT development process. 

OCIO is also taking steps to improve collaboration with FEMA's program 
offices, but it is too early to determine if the issues with FIMA have 
been fully addressed. For example, in January 2008 OCIO began 
assigning a customer advocate to each program office to help it better 
understand the IT needs of FEMA's program offices and to act as 
liaisons. The customer advocates are responsible for understanding all 
of the systems that are needed to support their assigned program 
offices and for regularly updating the CIO. FIMA's customer advocate 
said he met frequently with FIMA officials to resolve IT issues that 
arose and he was aware of only one major issue--the need to replace 
the legacy policy and claims processing system. While FIMA officials 
have mentioned a number of processes that could benefit from greater 
automation, including document management and budget formulation, it 
is unclear whether they have communicated these needs to their 
customer advocate. Until cooperation between FIMA and OCIO improves, 
FEMA will be unable to ensure that FIMA's and NFIP's IT needs are 
adequately met. 

FIMA and the Office of the Chief Procurement Officer Have Differed on 
Implementing a Policy for Small Business Contracts: 

FEMA has exceeded its goals for awarding contracts to small 
businesses, but FIMA and OCPO have differed on the question of how the 
policy for setting aside these contracts should be implemented. The 
federal government's goal for participation by small business concerns 
is at least 23 percent of the total dollar value of all prime contract 
awards for each fiscal year. By comparison, FEMA's fiscal year 2010 
goal of 31.9 percent was higher because, according to OCPO officials, 
DHS noticed that FEMA was exceeding its previous targets and wanted to 
provide incentives for continuing to exceed them.[Footnote 29] In 
general, before setting aside a contract for competition among small 
businesses, an agency must conduct market research to determine 
whether there is a reasonable expectation of obtaining offers from at 
least two small businesses that could meet the contract's 
requirements. OCPO officials make this determination within FEMA. If 
the program office objects to the decision, OCPO generally asks the 
office to support its position. If a disagreement persists, the Head 
of Contracting Activity has traditionally resolved the disagreement 
informally.[Footnote 30] No formal process exists for resolving these 
disagreements or appealing decisions.[Footnote 31] 

FIMA officials said that in several instances the use of small 
business contracts has caused inefficiencies for NFIP. According to 
these officials, flood insurance work is better suited to large 
businesses. For instance, in 2007 OCPO decided to split one of FIMA's 
contracts--which covered many areas of NFIP, including marketing, 
training, and data management--into five smaller contracts that were 
more conducive to small business involvement. According to FIMA 
officials, OCPO did not involve FIMA sufficiently in this decision and 
did not sufficiently consider how it would affect FIMA, which would 
need additional staff to monitor the contractors and would lose 
experienced contractors. OCPO officials disagreed, noting, among other 
things, that the requirements for each contractor were outlined in the 
contract's solicitation and only contractors that could meet the 
requirements were considered.[Footnote 32] No formal process exists 
for resolving the disagreement, and whether OCPO effectively 
communicated to FIMA how it could justify its position is unclear. 
Such disagreements indicate a need for those involved to improve their 
collaboration by establishing mutually reinforcing or joint strategies 
to achieve common outcomes. 

According to FIMA officials, these disagreements have created 
inefficiencies that have required extra work to resolve--for instance, 
lengthening the time required to complete certain processes. 
Recognizing that it needed to improve its relationship with program 
offices, OCPO management appointed an individual to reach out to and 
help them recognize the value of OCPO's services. OCPO officials said 
that program offices now understand they must work with OCPO, and OCPO 
hopes to improve the relationship and help the program offices to 
better understand how beneficial the procurement office can be. OCPO 
officials said that the office now acts as an advocate for the program 
offices to DHS and helps improve communication by explaining to 
program offices the reasoning behind DHS's various requirements. 
Without further improvements in this area, however, FEMA cannot fully 
ensure that NFIP's acquisition needs are being met. 

Coordination between the Office of the Chief Financial Officer and 
FIMA on Budgetary Needs Was Limited: 

FIMA and OCFO have not fully coordinated solutions to FIMA's budget 
formulation process. FIMA officials said they could benefit from 
greater automation of the budget formulation process, which currently 
relies on FEMA's Integrated Financial Management Information System 
(IFMIS). In particular, FIMA officials have said they need a system 
for building their budget, a process that involves estimating expected 
policy fee revenue and identifying and allocating funds from six 
appropriations. OCFO currently provides FIMA with spreadsheets for 
formulating the budget that contain templates for the spending plans 
detailing the resources required to execute programs, projects, and 
activities. OCFO officials acknowledged that the current process was 
more time consuming and prone to data entry errors than an automated 
system would be. FIMA officials noted that using these spreadsheets 
was particularly challenging because of fluctuations in NFIP premium 
revenues. 

To address some of these concerns, OCFO developed an automated budget 
formulation tool and is customizing it to meet the agency's needs. 
OCFO expects that the new tool will act as an interface with its 
current systems and ease budget formulation by eliminating the use of 
spreadsheets and allowing FIMA and other program offices to develop 
spend plans directly in the system. The tool became operational within 
OCFO in March 2011, and OCFO plans to implement it FEMA-wide on a 
rolling basis throughout fiscal year 2011 to allow time to train 
staff. However, both OCIO and FIMA said they did not have adequate 
input into the development of the new system, and the extent to which 
OCFO ever defined and documented system needs and requirements is 
unclear. In particular, FIMA officials said that OCFO may not have 
fully understood FIMA's needs regarding formulation and execution of 
NFIP's budget and the challenges created by fluctuating premium 
revenues. 

Officials from KPMG, the auditor retained by DHS, also said they had 
noticed communication challenges within FEMA, particularly between 
FIMA and OCFO. For instance, KPMG found that FIMA had changed its 
method for estimating its deferred revenue, and as DHS reported in 
2008, had not communicated this change to OCFO.[Footnote 33] While 
KPMG reports that this condition was corrected in fiscal year 2009, to 
prevent future problems the auditor recommended that FEMA develop 
better methods of communicating such changes. KPMG also found that 
FEMA had not completed its documentation of formal business policies 
and procedures for several of the roles, responsibilities, processes, 
and functions performed within FEMA.[Footnote 34] Without better 
collaboration and communication between FIMA and OCFO, FEMA will be 
unable to fully ensure that NFIP's financial and budgetary needs are 
being met. 

FEMA Lacks Electronic Systems and Related Policies That Could Improve 
Its Administration of NFIP: 

FEMA is a paper-based agency and has no centralized electronic 
document management system that would allow its administrative, 
regional, and program offices--including FIMA--to easily access and 
store documents. According to the National Archives and Records 
Administration (NARA), a record enters the document life cycle at its 
creation and remains in the system through its use, maintenance, and 
disposition.[Footnote 35] Records enable and support an agency's 
ability to fulfill its mission, and because records contain 
information, taking a systematic approach to managing them is 
essential. According to NARA, effective records management helps 
deliver services in a consistent and equitable manner; facilitates 
effective performance throughout an agency; protects the rights of the 
agency, its employees, and its customers; and provides continuity in 
the event of a disaster. According to NARA, from a strategic 
perspective, agencies lacking effective records management policies 
and procedures can hinder their ability to respond swiftly to 
opportunities, events, incoming requests, and investigations, and to 
effectively implement policy. From an operational perspective, such 
agencies may waste internal resources searching for or recreating 
records, while at the same time incurring storage costs for records 
that are not properly purged. From a regulatory standpoint, such 
agencies can face fines, sanctions, and convictions from noncompliance 
with federal statutes, rules, and regulations. Finally, from a legal 
perspective, such agencies can use excessive time, costs, and 
resources during discovery in order to retrieve needed materials from 
poorly organized records. 

According to a FEMA official, while there is broad consensus on the 
need for a centralized electronic document management system, 
currently no such system is in use. According to FEMA staff, FIMA has 
electronic systems in place for claims processing and correspondence 
recordkeeping, and FIMA's Risk Insurance Division has a system in 
place that is used for document archiving for its division. FEMA's 
Records Management Division told us it had instructed program offices 
needing a records management system immediately to continue the use of 
existing document management systems until DHS implements such a 
system. However, the agency has no policies or procedures in place for 
implementing such electronic systems. FEMA officials told us they had 
not implemented an agencywide system, even on an interim basis, 
because they were waiting for a decision from DHS on a centralized 
system. 

Further, FEMA lacks effective and systematic procedures to fully 
ensure that it appropriately retains and manages its records.[Footnote 
36] While DHS has an overall records management directive, FEMA's 
agency-specific guidance is outdated. For example, the guidance does 
not provide clear direction on electronic recordkeeping but does 
contain direction on file cabinet sizes and the use of candles in file 
rooms. FEMA Records Management officials were unable to tell us when 
an updated directive would be forthcoming. FEMA officials also said 
they had a plan for annually updating file plans that staff were 
supposed to follow but did not have processes in place to ensure that 
the plans actually were updated.[Footnote 37] 

As result of this lack of updated policy and guidance, FEMA's 
recordkeeping practices, which apply to NFIP, may not conform with the 
requirements of federal records management laws and regulations and 
may not adhere to Standards for Internal Controls in the Federal 
Government, which state that management should ensure that relevant, 
reliable, and timely information is available for decision making and 
external reporting.[Footnote 38] For example, in our review, FEMA 
staff told us they were storing documents using a system of file 
rooms, personal file cabinets, and document-sharing software with 
limited staff access. According to FIMA staff, documents can be 
difficult to locate and at times have been lost or thrown away when 
staff separate from the agency. FEMA staff also told us they had faced 
decreased productivity due to lost packages, delays in budget 
execution and policy decisions, destroyed documents, and duplicated 
efforts. In addition, because FEMA staff are currently spread across 
several different locations in the Washington, D.C., area and 10 field 
offices across the country, progress in meeting NFIP goals can be 
slowed by staff's inability to locate, transfer, and archive documents 
across all of these locations. 

FEMA has taken two actions that could help to ensure that its current 
paper-based records are effectively managed. First, in fiscal year 
2010 DHS required all staff to take records management training on 
their individual responsibilities for maintaining agency records. FEMA 
officials told us this training was the first of its kind that the 
agency had offered. Second, FEMA has begun identifying staff to act as 
records liaison officers in each program office. Records liaison 
officers are responsible for helping ensure that records are kept in 
accordance with the agency's file plan. Agency officials told us they 
relied heavily on records liaison officers to provide oversight in 
these areas. However, FEMA has not yet identified records liaison 
officers for each section of the agency and has not yet conducted a 
review or audit to fully ensure that records were being systematically 
retained and managed. Until FEMA addresses the agency's immediate need 
for a centralized document management system and develops effective 
policies guiding the use of electronic systems, staff will continue to 
face challenges maintaining records, affecting FEMA's ability to make 
effective decisions and report accurately on its finances and 
operations. 

FEMA's Outdated Financial Management Systems and Processes Have 
Created Challenges and Left Unliquidated Obligations Unresolved: 

Our review of FEMA's financial management found that staff faced 
multiple challenges in their day-to-day operations due to limitations 
in the systems they must use to perform these operations. OCFO staff 
told us that one of the greatest challenges they faced in carrying out 
their financial management responsibilities was using unautomated and 
often disparate systems. For example, they said that some of their 
systems for invoicing, travel management, and debt collection did not 
interface with FEMA's financial management system and, as a result, 
they had to manually enter data in FEMA's system. In addition, OCFO 
staff said that because their current travel management system was 
difficult and time consuming to use, they employed a paper-based 
process for staff travel. While FEMA has plans to implement a new 
system, a FEMA official told us the new system would also be time 
consuming to use--for example, it would not allow staff to process 
multiple travel orders in a short period of time, as would be required 
during emergency deployment. Finally, OCFO staff said that both the 
current debt collection and Department of Justice grant systems for 
nondisaster grants required that grant obligations be entered 
manually. According to FEMA officials, DHS is currently in the process 
of developing a DHS-wide grants management system; however, they 
estimated the system would take roughly a few more years to fully 
develop and implement. 

The lack of automated systems for budget formulation and execution 
helped to make these tasks two of its biggest challenges. As we have 
seen, FIMA currently uses a system of spreadsheets to formulate fiscal 
year budgets and to track overall budget expenditure and specific line-
item expenses. According to FIMA officials, spreadsheets can be 
corrupted and data are prone to errors because staff work on multiple 
versions. In addition, FIMA staff also told us they faced challenges 
with the paper-based tracking of requisition orders, which are sent 
between departments. In order to determine what was approved or not 
approved in the system on a daily basis, staff must manually track 
requisition packages through various offices. An agency official told 
us that the risks associated with this paper-based process were high 
and there had been instances in which packages were lost or signed for 
by unauthorized staff. These issues have been raised in past audits by 
the DHS's Office of the Inspector General (OIG).[Footnote 39] While 
FIMA has begun to implement an automated tracking system, according to 
FEMA staff, the process was delayed due to IT challenges. 

We have previously reported on weaknesses in FEMA's financial 
management processes.[Footnote 40] For example, we reported that 
internal control weaknesses had impaired FEMA's ability to maintain 
transaction-level accountability; that FEMA's broader oversight 
structures such as WYO company audits, the triennial operational 
reviews of WYOs, and FEMA's claims reinspection program were limited 
in their effectiveness; and that FEMA's initiative to improve specific 
internal control weaknesses and the overall NFIP environment has done 
little to address many of the NFIP financial data deficiencies 
highlighted by the 2005 Gulf Coast hurricanes. In addition, we 
reported that the design of FEMA's financial reporting process 
increased the risk of inaccurate or incomplete data because it did not 
include transaction-level data and places an over reliance on manual 
data entry. Furthermore, our testing of transactions from the Bureau 
and Statistical Agent database found that many transactions either 
lacked or had incomplete insured names, addresses, or policy effective 
dates. As a result, we were unable to test the accuracy of reported 
insured premium amounts or whether policy premium information was 
complete. 

Recent external audits of DHS's financial statements, performed by 
KPMG, have also identified material weaknesses in the area of 
unliquidated obligations.[Footnote 41] As of March 2011, FEMA had a 
total of $3.3 million in unliquidated obligations for NFIP-related 
funds that had been inactive for at least 5 years. According to a FEMA 
official, around $3.0 million of these funds could potentially be 
deobligated and used for new obligations consistent with the purposes 
for which the funds were appropriated.[Footnote 42] According to GAO's 
Standards for Internal Control in the Federal Government, transactions 
should be promptly recorded to maintain their relevance and value to 
management in controlling operations and making decisions. This 
applies to the entire process or life cycle of a transaction or event 
from the initiation and authorization through its final classification 
in summary records." Further, "control activities help to ensure that 
all transactions are completely and accurately recorded." In addition, 
"internal control and all transactions and other significant events 
need to be clearly documented, and the documentation should be readily 
available for examination." All documentation and records should be 
properly managed and maintained. 

KPMG cited the unliquidated obligations issue as a material weakness 
in 2008 and as a significant deficiency in the 2009 and 2010 
Consolidated DHS Audits. According to a FEMA official, in 2009 the 
agency issued an interim directive and procedures for addressing the 
unliquidated obligations issue. For example, it has started to verify 
the age of obligations older than 365 days and is working with points 
of contacts in program offices to certify that the unliquidated 
accounts are still open. However, OCFO told us that staff had sent 
memos to FIMA regarding this issue but that FIMA staff responded they 
were unaware of the amount of the unliquidated obligations and the 
potential amount that might be returned to FIMA. Unless FEMA 
implements processes to better monitor unliquidated obligations, 
including within FIMA, it could lead to inaccurate financial 
statements and affect DHS's overall budget. 

FEMA Has Begun to Implement Changes in Its Acquisition Management 
Activities but Needs to Complete Key Steps: 

FEMA has also identified a number of weaknesses in its oversight and 
management of acquisitions, and DHS and FEMA have taken a number of 
steps to improve these functions. However, because many of these steps 
have either been recently implemented or are still under development, 
the extent to which they will improve FEMA's acquisition management 
remains to be seen. FEMA's acquisition management has traditionally 
been guided by DHS's investment review process, which had four main 
objectives: 

* Identify investments that perform poorly, are behind schedule or 
over budget, or lack capability, so officials can identify and 
implement corrective actions. 

* Integrate capital planning and investment control with resource 
allocation and investment management. 

* Ensure that investment spending directly supports DHS's mission and 
identify duplicative efforts for consolidation. 

* Ensure that DHS conducts required management, oversight, control, 
reporting, and review for all major investments.[Footnote 43] 

FEMA performs three types of acquisition activities: (1) acquisition 
programs, which typically provide a tangible capital asset; (2) 
enterprise service contracts, which provide a service with a direct 
impact on FEMA's ability to carry out its mission; and (3) 
nonenterprise service contracts, which provide a service but do not 
have a direct impact on FEMA's ability to carry out its mission. 
Historically, some FEMA investments have been funded despite not 
receiving adequate review or oversight. Most notably, the NextGen 
system went forward without the necessary reviews and failed after 7 
years and an investment of $40 million.[Footnote 44] Further, the $1 
billion Risk Mapping Assessment and Planning (RiskMAP) program, which 
is an effort to modernize flood hazard mapping, was funded without 
receiving approval from the review board. OCPO officials said that 
this former DHS review board did not sufficiently meet the 
department's acquisition oversight needs, leading DHS to issue an 
interim acquisition directive in November 2008 and a final directive 
in January 2010.[Footnote 45] The directive provides an overall policy 
and structure for acquisition management within DHS describing the 
Acquisition Life Cycle Framework, Acquisition Review Process, and ARB, 
and outlines management procedures and responsibilities related to 
various aspects of acquisition. 

Because the DHS acquisition directive allows its component agencies to 
set internal acquisition processes and procedures as long as they are 
consistent with the DHS directive, in August 2010 OCPO began drafting 
its own acquisition directive and a handbook explaining how to 
implement it. FEMA had circulated its directive, for comments, and 
OCPO officials expect it will be completed within 30 days after 
comments have been collected and incorporated.[Footnote 46] 

One important component of acquisition management is reviewing 
programs through an ARB. FEMA created its ARB in July 2009 and had 
held four meetings as of January 2011. FEMA's ARB includes two co-
chairs (the Deputy Administrator and the Component Acquisition 
Executive), representatives from FEMA's various program offices, heads 
of Mission Support's various offices, and others. While FEMA can 
choose to review any acquisition activity, it requires that certain 
items be presented to the ARB, including all acquisition programs with 
life cycle costs of more than $50 million and enterprise service 
contracts with annual expenditures greater than $20 million.[Footnote 
47] As of January 2011, DHS recognized nine FEMA programs requiring 
FEMA ARB review.[Footnote 48] Seven of these--including the $1 billion 
RiskMAP program--had gone through the FEMA ARB as of January 2011, and 
FEMA plans to review the other two, as well as others, in fiscal year 
2011. As it continues to review its portfolio of programs, it expects 
to add additional programs to this list. In particular, OCPO is 
examining FIMA's acquisition activities and considering adding NFIP 
operations to its ARB list. 

FEMA has also faced challenges in the acquisition and oversight of its 
contractors, which are critical to NFIP. Both OCPO and FIMA officials 
said there had been communication challenges between contracting 
officers who were part of OCPO and Contracting Officer's Technical 
Representatives (COTR) who report to the contracting officers but also 
work in the program offices. OCPO officials said that many COTRs were 
loyal to their program office and communicated with contracting 
officers only when a problem arose. FIMA officials said that 
contracting officers had at times been unresponsive to them, 
particularly when reporting contractor discrepancies. Moreover, both 
we and KPMG previously noted weaknesses in FEMA's oversight of 
contractors. For example, we reported that a lack of monitoring 
records, an inconsistent application of procedures, and a lack of 
coordination diminished the effectiveness of FEMA's monitoring of NFIP-
related contracts.[Footnote 49] Further, KPMG officials said that FIMA 
did not provide sufficient oversight of its contractors, something 
that is of particular concern because FIMA has a relatively high 
proportion of contractor staff. Moreover, DHS's OIG found that 
acquisition personnel could not locate a number of contract files that 
were part of its review including one for a $3 million flood risk 
assessment contract.[Footnote 50] The report said that missing 
contract files created uncertainties, including whether proper 
contracting procedures were followed, contractors were held 
accountable for goods and services, and tax dollars were appropriately 
spent. 

To correct some of its acquisition challenges, FEMA issued a directive 
in September 2009 to clarify the roles, responsibilities, and 
requirements of COTRs in contract administration.[Footnote 51] This 
directive includes, among other things, a COTR Tiered Certification 
Program consisting of credentialing and compliance, and FEMA plans to 
train all of its COTRs to their appropriate certification levels by 
March 2011. Providing further guidance, FEMA also issued a COTR 
handbook in February 2009.[Footnote 52] Among other things, the 
handbook includes training requirements, duties, monitoring and 
surveillance procedures, and documentation requirements. In May 2010, 
OCPO began a technical review of COTRs' Contract Administration Files 
to better ensure that COTRs were adequately documenting their 
contracts. OCPO officials also said that, realizing the importance of 
outreach to FEMA's program offices, they had developed and funded a 
"How to Work with Us" training course and held the agency's first 
annual program management seminar. Moreover, officials from FIMA's 
Risk Insurance Division said they had changed their process for 
monitoring contractors, including requiring the contractors to submit 
monthly monitoring reports. As we have seen, most of these actions are 
relatively new, and some have not been fully implemented. While these 
steps need to be taken, the extent to which they will ensure effective 
oversight of FEMA's acquisition activities remains to be seen. Unless 
FEMA sets a firm timeline for implementing these actions, the agency 
will continue to have difficulty determining whether its acquisition 
processes are cost-effective, particularly those involving contractors. 

FEMA's Emergency Response Culture May Make Implementing New Processes 
a Challenge, but Efforts to Improve Business Processes, including 
within FIMA, Have Been Initiated: 

Several FEMA officials and staff told us that the emergency response 
culture within the agency could create resistance to implementing 
formal business processes, many of which involve NFIP. For example, 
several staff suggested that difficulties in following business 
processes were in part linked to FEMA's emergency response culture-- 
that is, its commitment to responding to disasters rather than 
strategically planning how its response could be improved by 
implementing more efficient office systems, policies, and processes. 
Further, agency officials told us that FEMA staff generally believed 
that formal or bureaucratic processes could impede their progress. 
Officials suggested that these cultural issues had led to both a 
general unwillingness to follow business processes at the staff level 
and limited commitment to planning and oversight at the management 
level. One FEMA official said that while FEMA's culture was part of 
the challenge, the agency had expanded after September 11 and has 
doubled in size since the 2005 Gulf Coast Hurricanes without 
commensurate adjustments in processes and systems. FEMA staff also 
told us that because many of FEMA's processes were manual, FEMA's 
culture had become dependent on people, with staff relying on personal 
relationships to accomplish tasks. 

However, FEMA's Mission Support Bureau told us it had begun a business 
process improvement effort in early 2009 that involved mapping the 
current processes, analyzing them, and determining what changes and 
improvements were needed. FEMA officials stated that the business 
process issues arose because FEMA expanded significantly after 
September 11, 2011, and the agency added new processes to existing 
ones without making necessary adjustments to ensure that the new 
processes were efficient. For example, the process for staff who were 
separating from the agency was mapped as having 117 steps and was 
streamlined to 88 steps. The bureau also determined that personnel 
actions for the regions were done differently than they were for FEMA 
headquarters. Mission Support officials said that as of July 2010 they 
had completed process maps and new internal control frameworks that 
affect NFIP. 

FEMA staff stated that Mission Support had completed several processes 
in areas such as COTR appointment and reappointment, printing, Freedom 
of Information Act requests for contract-related records, personnel 
actions, access control to headquarters facilities, hiring and 
separating for headquarters employees, workers compensation, annual 
property inventory, and the 40-1 requisition process. A FEMA official 
told us that staff had discovered numerous processes that either they 
did not realize they had, were different than those previously 
assessed, or were needed but did not exist. Mission Support staff said 
they had also found many work-around processes and processes that were 
poorly documented or duplicated at different places in the agency. 
FEMA officials told us they had tentative plans to roll out the 
initial changes to processes throughout relevant mission teams in 
2011. In addition, FIMA officials told us they had plans to undertake 
a separate effort to map seven other business processes, including 
those for requisitions, hiring, congressional correspondence, and 
salaries and benefits. Until these mapping processes are complete and 
related internal control processes are developed, a risk exists that 
certain functions will be inconsistently or incompletely carried out 
and adversely affect FEMA's management of NFIP. 

Acquisition Management Weaknesses Led to Cancellation of NFIP's System 
Modernization Project and Offer Lessons for Future Modernization 
Efforts: 

An important example of weaknesses in NFIP's acquisition management 
activities is the canceled development of the Next Generation Flood 
Insurance Management System (NextGen). Despite investing roughly 7 
years and $40 million, FEMA canceled this project in November 2009 
because it failed to meet user expectations. As a result, NFIP must 
now continue to rely on a 30-year old flood insurance management 
system that does not fully support NFIP's mission needs and is costly 
to maintain and operate. A number of acquisition management weaknesses 
contributed to the project's failure and cancellation, and as FEMA 
begins anew to modernize the existing legacy system, it plans to apply 
lessons learned from its NextGen experience. As mentioned earlier in 
this report, FEMA has already implemented some changes to its 
acquisition management practices. However, whether these changes will 
better enable FEMA to avoid the problems that derailed the development 
and implementation of the NextGen system remains to be seen. 

FEMA Canceled Its NextGen Project in November 2009 and Continues to 
Rely on Outdated Existing System: 

NFIP currently uses a flood insurance policy and claims processing 
system that was developed 30 years ago. The system is designed to (1) 
collect data to determine flood insurance premium rates for specific 
properties, (2) collect data on claims made on properties that have 
had flood-related damage, (3) track the progress of policies and 
claims, and (4) prepare legislatively mandated reports for Congress. 
According to FEMA officials, this system is neither efficient nor 
effective and does not adequately support the program's mission needs. 
For example: 

* Staff must manually input data, potentially increasing the 
possibility of data errors that can take as long as 6 months to 
correct. 

* The system provides limited access to data needed to manage the 
program, including policy and claims data provided by WYO insurers, 
which currently requires time-consuming and laborious steps to view 
and change a given file. 

* The system employs 1980s mainframe technology and uses programming 
languages that were current in the 1960s but are not widely used 
today. As a result, the system is costly and difficult to maintain. 

* The system can enforce restrictions on policies or claims only at 
the end of each processing cycle. As a result, the number of errors 
that occur during policy or claim processing is higher than it would 
be if such restrictions were enforced earlier. Correcting these errors 
can add as much as 2 to 3 months to the processing cycle. 

NFIP's attempts to modernize the existing system date back to at least 
the mid-1990s, when NFIP tried to move the system's applications and 
data onto a more modern hardware and software infrastructure. However, 
this effort was not successful and was canceled in the late 1990s. 
According to NFIP officials, the effort failed in part because system 
users were not sufficiently involved in the design process and project 
management capabilities were inadequate. 

In 2002, NFIP awarded a contract for the development of the NextGen 
system, which was to be deployed and operational by April 2007. 
According to program plans, NextGen was to employ modern technology 
and reengineered business processes to, among other things, improve 
the accuracy and completeness of policy and claims data and provide 24-
hour-a-day transaction processing and customer service. To meet these 
goals, five system applications were to be developed, all of which 
were to be supported by a new centralized database. 

1. Transaction Record Reporting Process (TRRP), which was to collect 
data from the WYO insurers and flood insurance vendors on policies and 
claims, conduct front-end balancing of financial data, perform checks 
for errors in issued policies and processed claims, and develop 
financial and statistical reports.[Footnote 53] 

2. Simple and Quick Access Net (SQANet), which was to permit 
standardized and customized reporting of NFIP data. 

3. Flood Rating Engine Environment (FREE), which was to generate 
online flood insurance rates and quotes. 

4. Flood Financial Management (F2M), which was to provide an interface 
for NFIP financial stakeholders (NFIP bureaus, WYO companies, and 
vendors) to enter, update, submit, and process monthly financial data. 

5. ezClaims, which was to provide an interface for authenticated 
claimants to view, edit, and process disaster and claims data. 

To deliver the system, the contractor adopted a spiral development 
methodology, which involves the development of prototype applications 
that are tested and assessed by users and refined accordingly. Between 
2004 and 2007, the five NextGen system applications and the supporting 
centralized database were prototyped, pilot tested, and modified. In 
May 2008, a production version of NextGen was placed into operational 
use. Shortly thereafter, however, users began reporting serious 
problems with the system's performance, such as inaccurate 
calculations and erroneous data. For example, the system showed no 
claims received or processed for the entire state of Alaska, despite 
the fact that the legacy system showed numerous claims. 

Shortly thereafter, NFIP decided to revert to its legacy system, and 
as a result was forced to extend this system's operations and 
maintenance contract. At the same time, NFIP decided to conduct user 
testing on NextGen in late 2008 and early 2009. During this testing, 
system users identified additional problems, causing FEMA leadership 
to establish an Executive Steering Committee to decide how best to 
proceed. The committee included FEMA's Director for Acquisition 
Management, Chief Information Officer (CIO), Assistant Administrator 
for Mitigation, and other senior-level executives. To support the 
steering committee, two assessments were performed: one by the DHS 
Emergency Management Inspector General that focused on FIMA's 
management and oversight of both the legacy system contractor and the 
NextGen contractor; and one by OCIO that focused on what could be 
salvaged from NextGen. In November 2009, based on interim results from 
the assessments, FEMA leadership decided to cancel NextGen. 

In June 2010, FEMA leadership transferred responsibility for 
modernizing NFIP's legacy system to OCIO. According to the CIO, the 
next attempt to modernize NFIP's legacy system will begin with a 
determination of the "degree of fit" between the NextGen applications 
and NFIP's business requirements. To meet this goal, OCIO intends to 
first develop a clear understanding of NFIP's business requirements. 
Next, it will test the NextGen software applications against these 
requirements to determine what gaps exist. During this time, OCIO also 
intends to establish a project office capable of managing the effort. 
As of March 2011, OCIO has hired a new project executive and project 
manager and is in the process of developing project management 
documentation, such as a mission needs statement and capability 
development plan. 

NFIP will now have to rely on its legacy system for an unspecified 
period of time. As a result, NFIP's ability to manage its flood 
insurance operations will continue to be hampered by this system's 
limitations. In addition, NFIP will have to continue to invest in the 
operations and maintenance of this system, which between June 2009 and 
June 2010 cost approximately $9.35 million to operate and maintain. 
According to the FEMA Acting Assistant Administrator for Mitigation, 
NFIP is currently in the process of negotiating a 2-year contract 
extension for operating and maintaining the legacy system. 

Acquisition Management Weaknesses Led to the Cancellation of NextGen: 

Weaknesses in several key system acquisition areas led to NextGen's 
failure and cancellation. Specifically, business and functional 
requirements were not sufficiently defined; system users did not 
actively participate in determining the requirements for the 
development of system prototypes or in pilot testing activities; test 
planning and project risks were not adequately managed; and project 
management office staffing was limited. These weaknesses can, in turn, 
be attributed in large part to a general lack of executive-level 
oversight and attention to the project's status. 

NextGen Requirements Were Not Well Defined: 

Well-defined requirements are a cornerstone of effective system 
acquisition. According to recognized guidance, documenting and 
implementing a disciplined process for developing and defining 
requirements can help reduce the risk of developing a system that does 
not perform as intended and does not meet user needs.[Footnote 54] 
Such a process includes, among other things, (1) establishing a 
complete and unambiguous set of high-level requirements that can form 
the basis for defining the more detailed requirements that guide 
system development, and (2) involving users throughout the development 
process. For NextGen, neither of these conditions were met. 

According to industry practices, high-level system requirements become 
the basis for the development of more detailed requirements that, in 
turn, can be used to develop specific software. Without complete and 
clear high-level requirements, sufficiently defining the more detailed 
requirements will be unlikely, in turn creating the risk that the 
resulting system will not meet users' needs. While NFIP did conduct 
activities intended to elicit NextGen requirements, these 
requirements--which NFIP refers to as "business requirements"--were 
neither complete nor clear. Specifically, NFIP established five 
working groups to review and refine business processes and provided 
the NextGen system developer with NFIP operational manuals. These five 
groups, which were associated with five business areas--claims, 
marketing, financial management, underwriting, and information 
technology--were each expected to produce a set of recommended 
business requirements. However, FEMA officials described the groups' 
efforts as largely based on oral communications, resulting in 
misunderstandings and poorly documented requirements. For example, one 
working group produced four different models of business processes, 
all of which were provided to the system developer as a basis for 
defining more detailed system requirements. According to the system 
developer, reconciling differences in these models contributed to the 
challenges in defining the requirements for NextGen. 

NFIP also provided the system developer with its operational manuals 
(e.g., flood insurance manuals, specific rating guidelines, and 
transaction reporting process manuals).[Footnote 55] However, none of 
these manuals were current and complete, according to NFIP officials. 
For example, officials told us the manuals were constantly changing 
and did not fully reflect actual flood insurance underwriting 
practices. According to these officials, only the NFIP subject matter 
experts had sufficient knowledge about the practices actually being 
employed. However, the subject matter experts were not sufficiently 
involved in defining business requirements. As a result of this 
inadequate information, the system developer had to interpret the 
business requirements, leading to the development of more detailed 
requirements that were later found to be incomplete and inaccurate. 
Specifically, an assessment done by FEMA's CIO found that NextGen's 
business and functional requirements were not sufficiently complete or 
decipherable and were otherwise not captured in accordance with 
industry standards.[Footnote 56] 

Further, users were not sufficiently involved in defining 
requirements. Best practices for defining and managing system 
requirements also include eliciting user needs and involving users 
throughout the development process. Continued user involvement is 
particularly essential to a project for which high-level operational 
or business requirements have not been well defined, as was the case 
with NextGen. Recognizing the limitations in the business 
requirements, and consistent with practices associated with the spiral 
development methodology employed on NextGen, the system developer 
conducted a series of application prototyping and pilot testing 
activities between 2004 and 2006. According to officials from both 
FIMA and its contractor, these activities were intended to, among 
other things, discover new system requirements and clarify existing 
requirements by having groups of users interact with the system 
developers on early versions of the applications. 

However, according to FIMA and the contractor, key subject matter 
experts did not participate in these prototyping and piloting efforts, 
particularly in the area of NFIP's underwriting process. Instead, user 
participation was largely confined to the WYO insurance companies and 
flood insurance agents that participated in NFIP. To increase user 
participation, NFIP established the NextGen Executive Decision Group 
in January 2006. However, minutes of the group's meetings during 2006 
and 2007 indicate that limited involvement of key NFIP internal users 
continued to hinder efforts to define NextGen system requirements. 
Moreover, the CIO assessment found that stakeholders were not 
adequately engaged in efforts to develop requirements. In particular, 
the assessment found that NFIP stakeholders' needs and concerns had 
not been adequately solicited and their approval of and commitment to 
requirements were not obtained. 

NextGen Testing Was Not Effectively Managed: 

Effective testing of a system like NextGen is essential to ensuring 
that the system functions as intended and meets mission needs and user 
expectations. As we have previously reported, an overarching test plan 
or strategy is critical for effective system testing.[Footnote 57] 
Among other things, this overall test management plan should: 

* define the type and timing of the developmental and operational test 
events and activities; 

* allow for detailed test planning and execution and ensure that the 
progress of the tests can be tracked and results reported and 
addressed; 

* define the roles and responsibilities of the various groups that are 
responsible for the test events; and: 

* provide a high-level schedule for planned events and activities. 
[Footnote 58] 

Without such a plan, a risk exists that system testing will occur in 
an ad hoc and undisciplined fashion and that problems will not be 
discovered until late in the system's development cycle, when they are 
more difficult and costly to correct. 

NFIP did not develop an overall NextGen test management plan or create 
a high-level schedule of the testing activities that would be 
performed. Instead, NFIP allowed its system development contractor to 
determine which tests to perform and how and when they would take 
place. According to the NextGen COTR, the types of testing events that 
were actually performed by the contractor were application prototyping 
and pilot tests between 2004 and 2006, followed by functional, 
regression, and system usability testing in 2006 and 2007. NextGen 
testing also included user testing conducted by NFIP in 2008 and 2009. 

Individual Test Events Were Not Well Planned: 

Along with an overarching plan, specific, well-defined test plans are 
necessary if testing is to be effective. According to relevant 
guidance, test plans should specify each of the following key 
elements:[Footnote 59] 

* Roles and responsibilities: Identifies individuals or groups that 
are to perform each aspect of the specific test event, such as test 
operators and witnesses, and the functions or activities they are to 
perform. 

* Environment and infrastructure: Identifies the physical facilities, 
hardware, software, support tools, test data, personnel, and anything 
else necessary to support the test event. 

* Tested items and approach: Identifies the object of testing (such as 
specific software or hardware attributes or interfaces) and describes 
the method used to ensure each feature of these objects is tested in 
sufficient detail. 

* Traceability matrix: Consists of a list of the requirements that are 
being tested and maps each requirement to its corresponding test 
cases, and vice versa. 

* Risk and mitigation strategies: Identifies issues that may adversely 
affect successful completion of testing, the potential impact of each 
issue, and contingency plans for mitigating or avoiding these issues. 

* Testing schedule: Specifies milestones, duration of testing tasks, 
and the period of use for each testing resource (e.g., facilities, 
tools, and staff). 

* Quality assurance procedures: Defines a process for ensuring the 
quality of testing, including steps for recording anomalies or defects 
that arise during testing and steps for making changes to approved 
procedures. 

Test plans were not developed or used for prototype and pilot testing 
performed by the contractor between 2004 and 2006. According to the 
NextGen COTR, formal system testing was not considered necessary 
during prototyping and pilot efforts under the spiral system 
development approach.[Footnote 60] While testing performed during such 
efforts is understandably less formal, the absence of any test plan is 
not consistent with relevant guidance. As we have previously reported, 
system pilots should be guided by a documented test plan that 
includes, for example, the type and source of data and the associated 
analysis necessary to determine the success of the pilot test. 
[Footnote 61] 

The contractor did develop test plans for the functional, regression, 
and usability testing of the NextGen applications that occurred in 
2007 and 2008. Specifically, the contractor prepared, and the COTR 
approved, test plans for each test event for each application. 
However, none of these plans had all of the key elements of effective 
test planning. In particular, while most of the plans addressed roles 
and responsibilities, environment and infrastructure, test items and 
approach, and quality assurance, only two included a testing schedule, 
and none included a traceability matrix or the risks to be mitigated 
(see table 1). 

Table 1: Summary of NextGen Application Test Plans' Satisfaction of 
Key Elements of Relevant Guidance: 

Key NextGen applications: Flood Rating Engine Environment (FREE); 
Roles and responsibilities: fulfilled; 
Environment and infrastructure: fulfilled; 
Tested items and approach: fulfilled; 
Traceability matrix: not fulfilled; 
Risk and mitigation strategies: not fulfilled; 
Testing schedule: not fulfilled; 
Quality assurance procedures: fulfilled. 

Key NextGen applications: Flood Financial Management (F2M); 
Roles and responsibilities: fulfilled; 
Environment and infrastructure: fulfilled; 
Tested items and approach: fulfilled; 
Traceability matrix: not fulfilled; 
Risk and mitigation strategies: not fulfilled; 
Testing schedule: fulfilled; 
Quality assurance procedures: fulfilled. 

Key NextGen applications: Simple and Quick Access Net (SQAnet); 
Roles and responsibilities: fulfilled; 
Environment and infrastructure: fulfilled; 
Tested items and approach: fulfilled; 
Traceability matrix: not fulfilled; 
Risk and mitigation strategies: not fulfilled; 
Testing schedule: not fulfilled; 
Quality assurance procedures: fulfilled. 

Key NextGen applications: Transaction Record Reporting Process (TRRP); 
Roles and responsibilities: fulfilled; 
Environment and infrastructure: fulfilled; 
Tested items and approach: fulfilled; 
Traceability matrix: not fulfilled; 
Risk and mitigation strategies: not fulfilled; 
Testing schedule: fulfilled; 
Quality assurance procedures: fulfilled. 

Key NextGen applications: ezClaims; 
Roles and responsibilities: fulfilled; 
Environment and infrastructure: fulfilled; 
Tested items and approach: fulfilled; 
Traceability matrix: not fulfilled; 
Risk and mitigation strategies: not fulfilled; 
Testing schedule: not fulfilled; 
Quality assurance procedures: fulfilled. 

Source: GAO analysis based on agency provided data. 

[End of table] 

* Roles and responsibilities: All of the test plans addressed roles 
and responsibilities for each application. Specifically, they 
identified either individuals or groups of individuals, such as the 
test lead or subject matter experts that were to perform specific 
functions, such as reviewing test results, providing detailed test 
findings, and allocating testing resources. 

* Environment and infrastructure: All of the test plans addressed 
environment and infrastructure. Specifically, they described the types 
of environments, such as a lab or the pilot program environment, as 
well as the hardware, software, and support tools needed for testing. 
Further, test data and personnel were also identified in each plan. 

* Tested Items and approach: Four out of the five test plans 
identified the objects to be tested and described the methods used to 
ensure that each feature of these objects was tested in sufficient 
detail. For example, the FREE test plan included the test scripts, 
test cases, and sample test result log that would be used to test the 
application and record the results. 

* Traceability matrix: None of the test plans listed the specific 
requirements that were being tested or mapped those requirements to 
the corresponding test cases. Rather, the test plans cited a single 
overarching requirement. For example, the SQANet test plan cited the 
requirement that NextGen provide NFIP reporting capabilities. However, 
this requirement was not broken down into subordinate requirements or 
mapped to corresponding test cases. 

* Risk and mitigation strategies: None of the test plans identified 
issues that might adversely affect successful completion of testing. 
Although the TRRP test plan identified assumptions and constraints--
for example that the subject matter experts would be available to 
provide documentation and rationale for identified discrepancies--the 
plan did not identify any assumptions or constraints as risks or 
provide plans for mitigating or avoiding their impacts. 

* Testing schedule: Two of the five test plans (TRRP and F2M) included 
a detailed testing schedule. For example, both test plans cited the 
test name, tasks, timeframes, and durations (estimated number of 
hours). The other test plans referred to the NextGen project 
management plan and the project schedule for a testing schedule. 
However, neither of these project-level documents contained detailed 
information about these test events. 

* Quality assurance procedures: All of the test plans included quality 
assurance procedures. Specifically, the plans described a process, 
including steps, for identifying and documenting issues or defects 
that arise during testing and for making changes to approved 
procedures. For example, the SQANet test plan defined a process for 
identifying and documenting test anomalies that included explaining 
each defect/issue found, capturing screenshots depicting the 
defect/issue, describing the testing environment or special testing 
method used to identify the defect/issue, and reviewing and resolving 
the defect/issue. 

According to the NextGen COTR, risk mitigation strategies were not 
included in the test plans because they had already been addressed in 
a risk list that the contractor developed and maintained, and test 
schedules were not included because they were already in the NextGen 
project management plan. However, the contractor did not effectively 
implement the risk management activities, and as we have seen, the 
NextGen project management plan did not include a schedule that 
detailed specific test activities. The COTR also told us that 
traceability matrices were not included because DHS did not require 
them at the time the test plans were developed and executed. But 
according to industry best practices, traceability matrices are 
essential to helping ensure that the scope of test activities is 
adequate. 

In addition, no user acceptance test plans were developed for the user 
testing that NFIP conducted in 2008. Instead, the program's branch 
chiefs selected eight NFIP subject matter experts to separately and 
individually test the system using system queries (test cases and 
procedures) of their own choosing based on their respective knowledge. 
In doing so, they were also told to compare their respective query 
results with results of similar queries of the legacy system. 
According to the NextGen COTR, user acceptance test plans were not 
developed because the tests performed by the subject matter experts 
were considered to be sufficiently specific and limited, focusing on 
finding the few "glitches" remaining after the initial deployment. As 
a result, user test plans were considered at the time to be 
unnecessary. Without well-defined test plans, however, the 
effectiveness of the testing performed could not be determined. 

Problems Found During User Acceptance Testing Were Not Effectively 
Managed: 

Effective test management includes not only capturing, prioritizing, 
tracking, and resolving any problems identified during testing, but 
also disclosing to stakeholders when and how problems are resolved. 
According to relevant guidance and best practices, this element of 
test management should be governed by a defined process and should 
ensure that those who are responsible for correcting the problems 
understand the full scope of system problems and the status of their 
resolution.[Footnote 62] 

The problems identified during NFIP's user acceptance testing of 
NextGen in 2008 were not governed by a defined and disciplined process 
for capturing, prioritizing, tracking, and resolving these problems. 
Specifically: 

* The NextGen contractor was tasked with maintaining a list of 
problems identified. However, users participating in the testing told 
us they were not required to capture problems using a standard format 
and that the NFIP project office did not centrally merge and transmit 
the problems they identified to the contractor. Instead, these users 
said they separately and individually communicated the problems they 
each found either orally in meetings or via emails. However, NFIP 
officials also told us the NextGen contractor did not attend all of 
these meetings and the issues raised in these meetings were not always 
documented or provided to the contractor. As a result, NFIP and 
contractor officials agreed that the contractor's list of problems 
requiring resolution was incomplete. 

* The NextGen project office did not maintain its own centralized list 
of problems requiring resolution. As a result, the project office did 
not know the universe of problems requiring resolution and could not 
track the status of each problem's resolution. 

* Users participating in the system testing told us they were not told 
whether the problems they had identified were ever resolved or when 
and how resolution of those that were resolved took place. They said 
that this lack of communication regarding the resolution of system 
problems ultimately resulted in their rejection of the NextGen system. 

Because of these weaknesses in how NFIP managed the resolution of 
problems identified during user acceptance testing, the NextGen 
project office was unable to demonstrate to the FEMA Acting Assistant 
Administrator that NextGen met NFIP mission needs and user 
requirements. This inability, in combination with the other 
acquisition management weaknesses, contributed to NextGen's 
cancellation. 

FEMA Could Have More Effectively Managed NextGen Risks: 

According to federal guidance, proactively managing project risks can 
increase the chances of delivering promised system capabilities and 
benefits on time and within budget.[Footnote 63] We have reported that 
effective risk management, among other things, includes defining and 
implementing a process that identifies, analyzes, and mitigates risks 
and periodically examines the status of the identified risks and 
mitigation steps.[Footnote 64] NFIP did not define and implement its 
own risk management process for its NextGen acquisition but instead 
delegated risk management to the NextGen system development 
contractor. NFIP officials said they did not conduct their own risk 
management activities because the NextGen project office was not 
staffed to do so. They said they expected the contractor to manage all 
project risks and believed they did not need to duplicate these 
efforts. 

The contractor did follow a process of identifying and analyzing risks 
and developing plans for implementing them that involved actions on 
the part of both NFIP and the contractor. However, not all of these 
plans were effectively implemented, in some instances because NFIP did 
not take the appropriate action, and in others because the contractor 
did not receive devoted resources to implement the action. 

In total, the contractor's risk management efforts identified 72 risks 
over the life of the project, of which 47 (about 65 percent) remained 
open at the time the project ended. Of these 47 open risks, 36 (about 
77 percent) related to the contractor's inability to gain access to 
NFIP staff or obtain information from NFIP staff or the legacy 
contractor. Specifically, 11 risks, the first of which was identified 
in July 2003, were associated with the lack of participation by NFIP 
subject matter experts in the prototyping and piloting of system 
applications. While FEMA established an executive-level decision group 
in 2006 to address this category of risks, risk related to lack of 
participation by subject matter experts continued to be identified and 
remained open at the time the project was canceled. 

Twenty-five risks were related to a lack of timely delivery of 
information from NFIP to the development contractor. For example, NFIP 
did not provide timely delivery of comments on deliverables and the 
legacy system that NextGen was to replace. According to the 
contractor's risk management documentation, these delays affected the 
development and pilot testing of key applications and thus the entire 
NextGen schedule. However, this documentation also shows that little 
or no action was taken by NFIP to address the risks. 

The NextGen project also faced risks beyond those identified by the 
NextGen contractor. However, some of these risks were never captured 
and mitigated because they were outside the contractor's control. For 
example, documentation shows that NFIP officials were aware that 
representatives from both the NFIP NextGen office and the legacy 
contractor resisted NFIP's earlier attempt to move the NFIP system 
onto a new platform. However, the risk that this resistance posed to 
the new system was not included in the NextGen contractors' risk list, 
and steps to mitigate this risk were not taken. Later in the 
development of NextGen, this ongoing resistance was cited as having 
impaired NFIP's ability to develop the NextGen system. Specifically, 
the DHS Emergency Management IG reported that 14 NFIP staff in key 
positions relative to approving NextGen favored the legacy contractor 
and helped to promote a divisive atmosphere that limited NFIP's 
ability to develop NextGen.[Footnote 65] 

The NextGen Project Office Would Have Benefited from Additional Staff: 

As we have previously reported, having sufficient project office staff 
with the requisite capabilities is essential to effectively managing a 
system acquisition like NextGen.[Footnote 66] Establishing such an 
office requires, among other things, an assessment of the core 
competencies and associated knowledge, skills, and abilities needed to 
perform key project management functions. It also requires an 
understanding of the knowledge, skills, and abilities of those 
assigned to the project, so that any gaps can be identified and a plan 
for filling those gaps can be developed and executed. 

The NextGen project office was not adequately staffed, having only one 
full-time government employee, the COTR, assigned from 2006 to the 
project's cancellation. No project management staff were assigned to 
perform such critical system acquisition management functions as 
developing and managing system requirements, managing system testing, 
and managing risk. Instead, NFIP relied almost exclusively on the 
NextGen contractor to perform these and other project management 
functions. 

According to a FEMA official, the NextGen project office requested 
additional staff in 2006, but the Acting Assistant Administrator for 
Mitigation denied the request because of resource constraints. 
Moreover, the request was for only one part-time person and was not 
based on a project management human capital assessment, which 
generally should include an analysis of needs and existing 
capabilities, the associated gap, and a plan for addressing identified 
gaps. 

NextGen Needed More Effective Executive Oversight: 

As we have previously reported, successfully acquiring IT systems 
requires the oversight and informed decision making of a senior-level 
investment review board.[Footnote 67] Among other things, such a board 
is responsible for selecting among competing IT investments and 
overseeing those investments throughout their respective life cycles 
to help ensure that project cost, schedule, and performance 
commitments are met, benefit expectations are realized, risks are 
minimized, and project managers are held accountable for results. DHS 
has recognized the need for such a system investment oversight body. 
Specifically, DHS established a department-wide investment review 
board in 2003. In November 2008, DHS revised its acquisition review 
process to include updating this board, which became the ARB, as the 
department's highest review body and charging it with reviewing and 
approving all investments with life cycle costs above $300 million. In 
addition, it established working groups and other boards, such as the 
Enterprise Architecture Board and the Program Review Board, to provide 
subject matter expertise to the ARB, and the Joint Requirements 
Council to validate the results of the strategic requirements planning 
process. Further, DHS required each of its component organizations, 
including FEMA, to establish and operate review boards to oversee 
their respective investments.[Footnote 68] 

However, neither FEMA nor DHS provided effective executive-level 
oversight of NextGen. Specifically, no FEMA review board or executive 
office, such as the CIO and Chief Financial Officer (CFO), ever held 
an oversight or milestone-decision review for NextGen. The DHS review 
board's last oversight of NextGen occurred in 2007. At that time, the 
ARB conditionally approved NextGen and delegated future oversight of 
the project to FEMA. However, FEMA did not have a review board in 
place at the time of the ARB's decision, having recently disbanded it 
because the demands of Hurricane Katrina made attendance at board 
meetings a low priority for members. The current FEMA CIO stated that 
OCIO and OCFO had not been more involved in NextGen because FIMA was 
not responsive to their requests for information about the project. 

NFIP's Operating Environment and External Factors Complicate 
Administration of the Program, and FEMA Lacks Authority in Areas 
Critical to Its Long-term Financial Health: 

NFIP's operating environment differs from that of traditional insurers 
and limits FEMA's ability to keep the program financially sound. In 
particular, NFIP assumes and retains all of the risks for the policies 
it sells, is required to accept virtually all applicants for 
insurance, and cannot deny coverage for potentially high-risk 
properties. Moreover, additional external factors continue to 
complicate the administration of NFIP and affect its financial 
stability. These include lapses in NFIP's authorization, the role of 
state and local governments, fluctuations in premium income, and 
structural and organizational changes that have been made. Finally, as 
noted in past GAO reports, NFIP also faces external challenges that 
will continue to threaten the program's long-term financial health if 
they are not addressed. These include statutory requirements that NFIP 
charge subsidized premium rates for many properties, a lack of 
authority to include long-term erosion in the flood maps used to 
determine rates, and limitations on FEMA's ability to take action when 
some owners of repetitive loss properties refuse to mitigate or accept 
FEMA's mitigation offers.[Footnote 69] 

NFIP's Operations Differ from Those of Private Insurers: 

Any discussion of the challenges that FEMA faces in administering NFIP 
must take into account important differences between the government's 
flood insurance program and private insurers. For example, by design 
NFIP does not operate like a private insurer but must instead meet a 
public policy goal--to provide flood insurance in flood-prone areas to 
property owners who otherwise would not be able to obtain it. At the 
same time, it is expected to cover its claims losses and operating 
expenses with the premiums it collects, much like private insurers. In 
years when flooding has not been catastrophic, NFIP has generally 
managed to meet these competing goals. But in years of catastrophic 
flooding, such as 2005, it has not. During those years, it has 
exercised its authority to borrow from Treasury to pay claims and, as 
of April 2011, NFIP owed approximately $17.8 billion to Treasury, 
mostly for the 2005 hurricane season. NFIP will likely not be able to 
meet its interest payments in all years, causing the debt to grow in 
certain years as FEMA may need to borrow to meet the interest payments 
in some years and potential future flood losses in others. This 
arrangement results in much of the financial risk of flooding being 
transferred to the U.S. Treasury and ultimately the taxpayer. 

Further, NFIP is also required to accept virtually all applications 
for insurance and cannot deny coverage or increase premium rates based 
on the frequency of losses. Private insurers, on the other hand, may 
reject applicants or increase rates if they believe the risk of loss 
is too high. As a result, NFIP is less able to offset the effects of 
adverse selection--the phenomenon that those who are most likely to 
purchase insurance are also the most likely to experience losses. 
Adverse selection may also lead to a concentration of policyholders in 
the riskiest areas. This problem is further compounded by the fact 
that those at greatest risk are required to purchase insurance from 
NFIP if they have a mortgage from a federally regulated or insured 
lender. 

Finally, by law, FEMA is prevented from raising rates on each flood 
zone by more than 10 percent each year. While most states regulate 
premium prices for private insurance companies for other lines of 
insurance, they generally do not set limits on premium rate increases, 
instead focusing on whether the projected losses and expenses justify 
them. 

A Variety of External Factors Complicate FEMA's Administration of NFIP: 

As previously reported, FEMA also faces a number of external factors 
that are not necessarily within its control but that also must be 
considered when discussing the administration of the program. First, 
FEMA relies on private insurers to sell and service policies and 
adjust claims under the Write-Your-Own (WYO) Program, but multiple 
lapses in program authorization in recent years have strained NFIP's 
relationship with WYO insurers. In particular, NFIP's legal 
authorization has lapsed multiple times since it expired in 2008, 
leaving FEMA and WYO insurers unable to renew policies that expired 
during these lapses. Recent reauthorizations of the program have been 
for periods of time as short as 5 days. FIMA officials said these 
lapses in reauthorization created a significant burden for WYO 
insurers. For example, the insurers were forced to reallocate 
resources to communicate with agents and customers about how program 
lapses would affect them. In part for this reason, the largest WYO 
insurer left the program, and NFIP is transitioning the 840,000 
policies that the insurer had been selling and servicing to NFIP's 
Direct Servicing Agent.[Footnote 70] 

Second, like some other federal programs, FEMA relies on state and 
local governments and communities to implement parts of the program, 
which can limit the effectiveness of some of FEMA's efforts. For 
example, communities enforce building codes and other floodplain 
management regulations in an effort to reduce the flood risk that 
insured structures face, but some communities may not have sufficient 
resources to enforce existing regulations. FEMA also relies on 
communities to administer grant funds that are intended to mitigate 
high-risk properties.[Footnote 71] However certain types of 
mitigation, such as relocation or demolition, might be met with 
resistance by communities that rely on those properties for tax 
revenues, such as coastal communities with significant development in 
areas prone to flooding. Finally, communities and individuals have 
sometimes mounted challenges to and resisted flood map revisions that 
place homes in higher-risk flood zones and would thus raise premium 
rates. 

Third, the financial resources that NFIP uses to fund much of its 
operations have fluctuated in recent years. NFIP divides the premiums 
paid by policyholders into "mandatory" and "discretionary" dollars. 
Most premium dollars are considered mandatory and are used to pay 
flood claims and other budget items such as WYO fees and advertising. 
The remaining premium dollars are allocated to discretionary uses and 
are used to fund NFIP operations.[Footnote 72] FIMA staff have noted 
that lower-than-expected policy fee income in recent years has forced 
them to cut back on certain functions, including contract and WYO 
oversight, field office management, and community outreach. For 
example, FEMA officials said that in 2009 FEMA based NFIP's budget on 
expectations that the program would collect $156 million in policy 
fees, $107 million of which the President's budget required to be 
spent on mapping. By the end of the fiscal year, NFIP had collected 
only $144 million in policy fees, leaving NFIP with only $37 million, 
instead of the expected $49 million, to pay salaries and other 
operating expenses. NFIP received approval from Congress to redirect 
$4.9 million in mandatory funds from the advertising budget into the 
discretionary budget to pay for these expenses, and it compensated for 
the remaining $7.1 million shortfall with spending cuts, largely from 
staff attrition and a hiring freeze. 

Finally, both FEMA and FIMA have faced many significant changes to 
their organizational structures and responsibilities since 2001, 
creating challenges in implementing consistent and effective business 
processes. FEMA underwent several organizational changes in 2001 and 
2002, but the most significant change occurred in 2003, when FEMA 
transitioned from an independent agency to a component of the newly 
created DHS. At that time, FEMA became part of DHS's Emergency 
Preparedness and Response Directorate, and some of its functions were 
moved to other organizations within DHS. In addition, functions that 
had formerly been part of other agencies were incorporated into the 
new Emergency Preparedness and Response organization. From 2003 
through 2005, over $1.3 billion in new or significantly expanded 
programs came into FEMA, while programs with funding of nearly $1.5 
billion were transferred out. Although these changes nearly balance in 
dollar terms and the number of employees remained the same, they 
created considerable disruption to FEMA's operations and uncertainty 
about the availability of resources. After the 2005 hurricanes and the 
widespread perception that FEMA had failed to effectively meet its 
mission, the agency faced changes that created further uncertainty and 
affected employee morale. In 2007, PKEMRA expanded FEMA's mission by 
integrating preparedness with protection, recovery, response, and 
mitigation to address all hazards. FEMA was reorganized again in 2009 
at the direction of a new FEMA Administrator. At the same time, FIMA 
has also faced considerable organizational changes--both through the 
overall FEMA reorganizations and additional reorganizations that 
occurred with successive FIMA administrators, most significantly in 
2006.[Footnote 73] Policies and processes are often specific to the 
organizational and oversight structures that are in place when they 
are created, and when those structures change, the policies and 
processes may no longer be relevant or complete. 

FEMA Lacks Authority in Areas Critical to Its Long-term Financial 
Health: 

FEMA Lacks Authority to Charge Full-Risk Rates on Many Properties and 
Is under Pressure to Allow Grandfathered Rates on Others: 

As we have pointed out in previous reports, FEMA is required by law to 
charge many policyholders less than full-risk rates, otherwise known 
as subsidized rates.[Footnote 74] These rates are intended to 
encourage property owners to purchase flood insurance, and today 
nearly one out of four NFIP policies are based on a subsidized rate. 
These rates allow policyholders with structures that were built before 
floodplain management regulations were established in their 
communities to pay premiums that represent about 40 percent to 45 
percent of the actual risk premium. Moreover, FEMA estimates that 
properties covered by policies with subsidized rates experience as 
much as five times more flood damage than compliant new structures 
that are charged full-risk rates. One difficulty in analyzing the 
effect of subsidized premium rates is that, while they affect the 
overall financial stability of NFIP and can potentially increase 
borrowing from the Treasury, the subsidy is not recognized in FEMA's 
budget. As we have reported in the past, the cost of federal insurance 
programs is often not accurately reflected in agencies' budgets. 
[Footnote 75] As a result, Congress may not have adequate information 
about the potential claims on the federal budget when it establishes 
or reviews federal insurance programs. This lack of information may be 
especially problematic in the case of NFIP because of the continued 
growth in the subsidy. As we have pointed out, the number of policies 
receiving subsidized rates has grown steadily in recent years, and 
without changes to the program, will likely continue to grow, 
increasing the potential for future NFIP operating deficits.[Footnote 
76] 

In addition, NFIP may "grandfather" properties when new flood maps 
place them in higher-risk zones. Unlike private insurers that charge 
risk-based rates, FEMA made a policy decision to allow certain 
properties remapped into riskier flood zones to keep their previous 
lower rates. While FEMA is not statutorily required to grandfather 
these policies, FEMA officials told us that they made the decision 
because of resistance to rate increases and based on considerations of 
equity, ease of administration, and goals of promoting floodplain 
management. However, homeowners who are remapped into high-risk areas 
and do not currently have flood insurance may be required to purchase 
it at the full-risk rate. Further, FEMA recently introduced a new 
rating option called the Preferred Risk Policy (PRP) Eligibility 
Extension that is, in effect, a temporary grandfathering of premium 
rates.[Footnote 77] While PRPs traditionally would have to be 
converted to more expensive standard-rated policies when they were 
renewed, FEMA extended PRP eligibility to 2 years after a new flood 
map's effective date or January 1, 2011, whichever is later. FEMA made 
the decision to offer these lower rates in response to significant 
community resistance to remapping and the resulting increased rates as 
well as concern expressed by Congress. As we have reported, to the 
extent that NFIP charges less than full-risk rates on many properties, 
it adds to the risk that the program will need to borrow from Treasury 
to pay claims. 

FEMA Is Not Authorized to Account for Long-term Erosion in Developing 
Flood Maps: 

While FEMA is in the process of updating the flood maps used to set 
premium rates for NFIP, it is not authorized to account for long-term 
erosion in developing these maps.[Footnote 78] The purpose of these 
maps is to accurately estimate the likelihood of flooding in specific 
areas given certain characteristics including elevation and 
topography. Despite these modernization efforts, some maps can quickly 
become inaccurate because of changes from long-term erosion, 
particularly in coastal areas. However, FEMA is not authorized to map 
for these changes--that is, it is not allowed to take into account 
situations in which long-term erosion might increase the risk of 
flooding in certain areas. Not accurately reflecting the actual risk 
of flooding increases the likelihood that even full-risk premiums will 
not cover future losses and adds to concerns about NFIP's financial 
stability. 

FEMA Is Limited in Its Ability to Encourage Property Owners to 
Undertake Mitigation Efforts: 

In reforming NFIP in 2004, Congress noted that repetitive loss 
properties--generally, those that FEMA defines as having had two or 
more flood insurance claims payments of $1,000 or more over 10 years-- 
constituted a significant drain on NFIP resources.[Footnote 79] While 
Congress has made efforts to address this issue through mitigation 
activities, repetitive loss properties continue to be a drain on NFIP. 
Many of these properties are part of the subsidized property 
inventory, and thus receive subsidized rates, further contributing to 
NFIP's financial instability. This situation exposes the federal 
government and ultimately taxpayers to greater risks and is not 
consistent with several of the public policy goals (e.g., limiting 
exposure to the federal government and the taxpayer) that we have 
previously identified for disaster programs.[Footnote 80] As 
previously reported, FEMA will offer premium discounts for efforts to 
mitigate high-risk structures including raising the elevation of, 
relocating, or demolishing a property, but these efforts are for the 
most part voluntary.[Footnote 81] FEMA does have some authority to 
raise premium rates for property owners who refuse mitigation offers 
made by local authorities, such as an offer to elevate the property, 
in connection with the severe repetitive loss pilot program. 
Specifically, if a property owner refuses a mitigation offer, FEMA can 
increase premiums to up to 150 percent of their current amount and by 
a similar amount later on if the property owner is paid a claim of 
greater than $1,500. However, FEMA is prohibited from charging more 
than the current full rate and as a result cannot increase premiums on 
property owners are paying the full rate but who refuse a mitigation 
offer. In addition, FEMA is not allowed to discontinue coverage for 
those who refuse mitigation offers. As a result, FEMA has some 
limitations on its ability to compel owners of properties with 
repetitive losses to undertake flood mitigation efforts. Further, 
while Congress has made efforts to reduce the number of repetitive 
loss properties, their number has grown, making them an ongoing 
challenge to NFIP's financial stability. Specifically, these 
properties account for about 1 percent of all policies but are 
estimated to account for up to 30 percent of all NFIP losses. Unless 
FEMA is able to effectively encourage owners of severe repetitive loss 
properties to undertake mitigation efforts, the potential losses 
associated with such properties continues to threaten the financial 
stability of the NFIP. 

Recognizing that NFIP faces a variety of structural challenges that 
need to be reformed, FIMA began a three-phase effort to develop 
recommendations to reform the program by addressing some of the 
program's external challenges. The process began with a listening 
session in November 2009 to capture concerns and recommendations from 
about 200 stakeholder participants and to better understand the need 
for NFIP reform. The second phase included adopting a policy analysis 
framework, analyzing existing stakeholder input, developing and 
agreeing on guiding principles to direct the NFIP reform effort, and 
creating evaluation criteria to be used in scoring each of the 
proposed policy alternatives. The final phase, which began in June 
2010 and includes evaluating the policy alternatives, will result in a 
reform proposal package that FIMA will submit to FEMA leadership. To 
inform this phase, FIMA conducted two additional stakeholder meetings 
in December 2010. This process may provide some helpful ideas to 
address some of the major challenges facing FEMA in its administration 
of NFIP. But as we have noted in earlier reports, comprehensive 
legislative reform will be needed to stabilize its financial condition. 

Conclusions: 

While FEMA has begun to take steps to address its issues, it faces 
significant management challenges in areas that affect NFIP, including 
strategic planning, human capital planning, collaboration among 
offices, records management, financial management, acquisition 
management, and business processes. Effectively addressing these 
challenges would require program improvements at all levels within 
FIMA, FEMA, and DHS and would not only help improve the administration 
of NFIP but also help to more effectively deal with financial and 
operational challenges that NFIP faces--challenges over which FEMA 
often has limited direct control. While FEMA has not yet addressed 
many of these issues, in part because of the demands of its key 
mission of responding to emergencies, it is beginning to take certain 
steps to address its challenges. While some efforts are under way, 
FEMA has much work ahead of it in beginning to plan and execute the 
day-to-day activities necessary to effectively manage both the agency 
and NFIP and to ensure effective collaboration between program and 
support offices. As we have seen, for example: 

* FEMA has not provided FIMA with strategic direction and guidance for 
administering NFIP, and FIMA has not developed a comprehensive 
strategy with goals and objectives for the program. GPRA states that 
strategic plans should include such guidance and strategies for major 
programs like NFIP. Without this direction, NFIP lacks a strategic 
focus, and the agency is limited in its ability to develop effective 
performance measures to measure NFIP's progress. Without a robust set 
of performance measures and an established process for management to 
regularly review them, the agency cannot monitor and hold accountable 
management and staff involved in the program. 

* FEMA lacks a strategic human capital plan (as required by PKEMRA) 
that addresses the critical competencies required for its workforce. 
Such a plan is critical for FEMA because of its heavy reliance on 
contractors. Without such a plan, FEMA is limited in its ability to 
assess its staffing and workforce needs, manage turnover, fill 
vacancies, and oversee its contractor workforce. 

* FEMA lacks a plan to ensure that agency operations are maintained 
when federal disasters are declared and staff are deployed to respond. 
Without such a plan, FEMA faces the risk that some critical day-to-day 
functions may not be performed while staff are deployed, limiting the 
agency's ability to provide the necessary support for disaster relief 
missions. 

* FIMA relies on Mission Support for a variety of mission-critical 
functions, including IT, acquisition, and financial management, but 
FIMA and Mission Support have faced challenges in collaborating with 
one another. For example, FIMA and OCFO have had limited communication 
regarding FIMA's budget formulation needs. Without better 
collaboration and communication between FIMA and Mission Support's 
various offices, FEMA will be unable to fully ensure that NFIP's IT, 
acquisition, and financial and budgetary needs are being met. 

Further, FEMA still lacks comprehensive systems, policies, and 
processes that would help ensure sound records, financial, and 
acquisition management as they relate to NFIP. In particular: 

* FEMA has no centralized electronic document management system that 
would allow its various offices to easily access and store documents. 
As a result, the offices have faced problems with lost or destroyed 
documents, decreased productivity, and duplicated effort. While there 
is broad consensus for the need for a centralized electronic document 
management system, FEMA is currently awaiting an overall DHS decision 
on a system to be used for this process. However, until such a system 
is provided, FEMA will continue to face document management challenges 
that impede program effectiveness. 

* In previous audits, KPMG found weaknesses within FEMA's management 
of unliquidated obligations. The agency has issued an interim 
directive for addressing the issue, but FIMA staff said they did not 
know the amount of these obligations and the extent to which they have 
been inactive. Until FEMA reviews FIMA's unliquidated obligations, 
FIMA may be foregoing funds that could otherwise be returned and used 
for other program needs. 

* Recognizing a number of weaknesses in its oversight and management 
of acquisitions, FEMA has taken steps to improve these functions, 
including drafting an acquisition directive and a handbook explaining 
how to implement it. However, most of these actions have either been 
recently implemented or are still under development. While they are 
the kinds of steps that need to be taken, the extent to which they 
will ensure effective oversight of FEMA's acquisition activities 
remains to be seen. 

* FEMA Mission Support staff told us that in early 2009 they began a 
business process improvement effort that involved mapping current 
processes, analyzing them, and determining how they could be improved. 
Until this mapping process is complete and related internal control 
processes are developed, a high risk exists that certain functions 
will be inconsistently or incompletely carried out. 

In addition, FEMA has spent about 7 years and $40 million in its 
latest attempt to modernize NFIP's insurance policy and claims 
management system. FEMA ultimately canceled the effort in November 
2009 because it failed to meet user expectations, forcing the agency 
to continue relying on an outdated system that is neither effective 
nor efficient. Any further attempts to modernize the program's 
existing system must recognize the root causes of NextGen's failure, 
which include: 

* FEMA's and DHS's failure to provide sufficient oversight of the 
project and to allow these acquisition weaknesses to go unchecked for 
years. Without sufficient management oversight, FEMA will be limited 
in its ability to ensure that future modernization attempts are 
completed efficiently and effectively. 

* Weaknesses in several key system acquisition areas that led to 
NextGen's cancellation, including poorly defined and managed 
requirements, poorly planned and executed system testing, 
insufficiently mitigated program risks, and an inadequately staffed 
program office. Unless FEMA learns from these mistakes, future 
modernization attempts could face the same fate. 

In addition to management challenges, FEMA still faces challenges 
related to its financial operations and rate structure. The hurricanes 
of 2005 required a massive response from FEMA as it worked to help 
thousands of individuals recover from sometimes devastating damage to 
their property. The scope of the damages and total claims paid, which 
were unparalleled in NFIP's history, highlighted challenges with the 
program's financial structure. These challenges, along with the debt 
incurred by NFIP as a result of the 2005 hurricanes, remain today. 

As we have indicated in previous reports, FEMA can take some actions 
to improve NFIP's financial stability, such as ensuring that NFIP's 
full-risk premium rates accurately reflect the risk of loss and 
ensuring that WYO insurers justify and document their claims for 
payment. However, fully addressing other challenges to the long-term 
financial stability of the program will require congressional action. 
For example, as we have pointed out, congressional action to allow 
NFIP to charge full-risk premium rates to all property owners would 
decrease the potential for future NFIP operating losses. Authorizing 
the inclusion of long-term erosion in future rate maps and providing 
FEMA with the authority to require owners of repetitive loss 
properties to mitigate or impose penalties for not doing so would also 
reduce the risks of future NFIP losses. We recognize that these 
potential changes involve tradeoffs. Increasing premium rates and 
requiring homeowners to mitigate flood-prone properties could, for 
example, reduce participation and create hardship for some property 
owners. Nevertheless, until these and related issues are resolved, the 
program will continue to present a significant financial risk to the 
government and taxpayers. 

Recommendations for Executive Action: 

To improve strategic planning, performance management, and program 
oversight within and related to NFIP, we recommend that the Secretary 
of DHS direct the FEMA Administrator to take the following four 
actions: 

* Provide strategic direction and guidance to the process for 
developing a comprehensive strategy for FIMA operations; establish a 
firm timeframe for and complete the development of this strategy; and 
take steps to ensure that this strategy has appropriate performance 
goals and measures to track NFIP's progress. 

* Develop a comprehensive workforce plan according to PKEMRA that 
identifies agency staffing and skills requirements, addresses turnover 
and staff vacancies, and analyzes FEMA's use of contractors. 

* Direct the FEMA Administrator to develop guidance for continuing 
operations when staff are deployed to respond to federal disasters and 
direct FIMA Acting Assistant Administrator to develop such a plan. 

* Direct the FIMA Acting Assistant Administrator and the FEMA Mission 
Support Associate Administrator to develop protocols to encourage and 
monitor collaboration between FIMA and relevant support offices, 
including those for information technology, acquisition management, 
and financial management. 

To improve FEMA's policies, procedures, and systems for achieving 
NFIP's program goals, we recommend that the Secretary of DHS direct 
the FEMA Administrator to take the following four actions: 

* While waiting for DHS to implement an agencywide electronic document 
management system, consider the costs and benefits of implementing an 
interim system for FEMA and updating its document management policies 
and procedures. 

* Ensure that FEMA regularly reviews unliquidated obligations within 
NFIP-related funds. 

* Establish timelines for and complete the development and 
implementation of FEMA's revised acquisition process, in line with the 
DHS Acquisition Directive 102-01, including a rollout process with 
staff training and a mechanism to better ensure that all acquisitions 
undergo the necessary reviews. 

* Ensure that FEMA Mission Support's business process improvement 
efforts are expeditiously completed. 

To improve the usefulness and reliability of NFIP's flood insurance 
policy and claims processing system, we recommend that the Secretary 
of DHS take the following two actions: 

* Direct the DHS Deputy Secretary, as the Chair of DHS's ARB, to 
provide regular oversight of FEMA's next attempt to modernize this 
system. 

* Direct the FEMA Administrator to ensure that FEMA's CIO applies 
lessons learned from the NextGen experience to the next modernization 
attempt. At a minimum, this effort should ensure that (1) all levels 
of system requirements are complete and clear and that key 
stakeholders are adequately involved in requirements development and 
management, (2) key test events are effectively planned and executed 
and problems identified during testing effectively managed, (3) 
project risks are proactively identified and mitigated, and (4) 
project office staffing needs are properly assessed and met. 

Matters for Congressional Consideration: 

As Congress considers NFIP reforms and reauthorization, it should 
consider ways to better ensure the long-term financial stability of 
the program, such as 1) allowing NFIP to charge full-risk premium 
rates to all property owners and providing assistance to some 
categories of owners to pay those premiums; 2) authorizing NFIP to 
account for long-term flood erosion in its flood maps; and 3) 
clarifying and expanding FEMA's ability to increase premiums or 
discontinue coverage for owners of repetitive loss properties who do 
not mitigate their properties or refuse FEMA's mitigation offers. 

Agency Comments and Our Evaluation: 

We provided the Secretary of Homeland Security with a draft of this 
report for review and comment. DHS provided written comments that we 
summarize below. DHS's letter is reproduced in Appendix II. FEMA also 
provided us with technical comments, which we have incorporated as 
appropriate. 

DHS concurred with all of our 10 recommendations and identified 
actions taken or plans made to implement them. Specifically, DHS 
agreed with our recommendations to: 

* Provide strategic direction and guidance to the process for 
developing a comprehensive strategy for FIMA operations; establish a 
firm timeframe for and complete the development of this strategy; and 
take steps to ensure that this strategy has appropriate performance 
goals and measures to track NFIP's progress. DHS stated that FEMA had 
recently released its strategic plan for fiscal years 2011-2014 and 
had begun requiring its directorates and offices to submit annual 
operating plans with goals, measures to track the goals, and links to 
FEMA's plan. However, until such a plan and accompanying performance 
measures are complete and fully implemented, whether such a plan will 
provide the necessary strategic framework for managing NFIP remains to 
be seen. 

* Develop a comprehensive workforce plan according to PKEMRA. DHS 
noted that FEMA had obtained a contractor to conduct a workforce 
assessment and had completed Phase I of the process. However, when the 
entire workforce plan will be completed given the challenges FEMA 
faces in identifying the number and categories of FEMA staff positions 
and contractors as cited in the Phase I study is unclear.[Footnote 82] 
In addition, as we cited in the report, the Strategic Human Capital 
Plan that FEMA developed in response to PKEMRA did not fulfill the 
requirements of the mandate. These requirements include: 

- specific goals and objectives for recruiting and retaining 
employees, such as recruitment and retention bonuses; 

- specific strategies and program objectives to develop, train, 
deploy, compensate, motivate, and retain employees; 

- specific strategies for recruiting staff with experience serving in 
multiple state agencies responsible for emergency management; and: 

- specific strategies to develop, train, and rapidly deploy a Surge 
Capacity Force. 

* Develop a plan for continuing NFIP operations when staff are 
deployed to respond to federal disasters. DHS stated that it agreed to 
provide guidance to FEMA and its components for developing such a 
plan, however it does not identify time frames for providing such 
guidance. 

* Develop protocols for collaboration between program and support 
offices. DHS noted that Mission Support had begun some such efforts, 
including holding listening sessions and responding to problems that 
surface. 

* Consider the costs and benefits of implementing an interim 
electronic records management system while awaiting an overall DHS 
system and update its document management policies and procedures to 
ensure records are being adequately managed. DHS indicated that they 
have been providing interim policies and guidance to program offices; 
however, the policies and procedures they provided us during our 
review had not been updated. 

* Have FEMA regularly review unliquidated obligations within NFIP- 
related funds. DHS stated that FEMA had published an interim directive 
in 2009 that applied to open FEMA obligations including those within 
FIMA. While this directive provides useful criteria, our 
recommendation is that FEMA follow this guidance and better ensure 
that regular reviews are completed. 

* Establish timelines for and complete the development of FEMA's 
revised acquisition process. DHS listed a number of ongoing efforts in 
this area including training, certification, and recruitment, among 
others. While we are encouraged by the steps taken, establishing 
timelines and completing these efforts are critical to establishing a 
well functioning contract and acquisition management program. 

* Ensure that Mission Support's business process reengineering plans 
are expeditiously completed. DHS stated that Mission Support had begun 
the process of incorporating lessons learned into its day-to-day 
operations. However, we recommend that the plans be fully and 
expeditiously implemented, given their importance to helping FEMA's 
improve its overall procedures. 

Finally, DHS concurred with our last two recommendations for improving 
NFIP's flood insurance policy and claims processing system. 
Specifically, DHS stated it was preparing to elevate NFIP's status and 
ensure that the program was designated for regular oversight by DHS's 
ARB. DHS restated its commitment to ensuring that FEMA applies lessons 
learned from the NextGen experience to its efforts to replace its 
current system. 

We are providing copies to the Chairman and Ranking Member, Senate 
Committee on Banking, Housing and Urban Affairs, the Chairman and 
Ranking Member, House Committee on Financial Services, and other 
interested committees. We are also sending a copy of this report to 
the Secretary of Homeland Security and other interested parties. In 
addition, the report will available at no charge on our Web site at 
[hyperlink, http://www.gao.gov]. 

If you or your staff have any questions regarding this report, please 
contact me at (202) 512-8678 or williamso@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix III. 

Signed by: 

Orice Williams Brown: 
Managing Director, Financial Markets and Community Investment: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Significant management challenges affect the Federal Emergency 
Management Agency's (FEMA) ability to administer the National Flood 
Insurance Program (NFIP). GAO undertook this current review to 
identify root causes of these deficiencies and to clarify how to 
address them. Our objectives were to (1) analyze the extent to which 
FEMA's key management practices--including strategic planning, human 
capital planning, records management, financial management, 
acquisition management, and intra-agency collaboration--affect the 
agency's ability to administer NFIP; (2) identify lessons to be 
learned from the Next Generation Flood Insurance Management System 
(NextGen) program's cancellation, including to what extent key 
acquisition management processes were followed on NextGen; and (3) 
describe factors that are relevant to NFIP operations and analyze 
limitations on FEMA's authority that could affect its financial 
stability. 

To determine the extent to which FEMA's management practices affected 
its ability to meet its program goals as well as congressional goals 
for NFIP, we collected available data from FEMA and conducted over 80 
interviews with representatives from FEMA's Federal Insurance and 
Mitigation Administration (FIMA), Office of Policy and Programs 
Analysis (OPPA), and the Mission Support Bureau's offices for 
administration, finance, human capital, information, and procurement. 
We also interviewed representatives of the Department of Homeland 
Security's (DHS) Office of the Inspector General (OIG), the National 
Association of Public Administration (NAPA), and KPMG LLP. In 
addition, we analyzed FEMA planning documents, policies, directives, 
materials, and data related to key aspects of program management: 
strategic planning, human capital planning, records management, 
acquisition management, and financial management. Due to the nature of 
the audit work in these areas, we conducted a data reliability 
assessment in the areas of human capital and financial management. 
Both were found to be sufficiently reliable for the purposes of our 
report. Further, we reviewed relevant legislation, internal control 
standards, best practices, and external studies of FEMA's management 
challenges. More specifically: 

* Strategic planning: To assess FEMA's strategic plans and performance 
measures, we obtained and analyzed materials and documents including 
FEMA's 2008 strategic plan and FIMA performance measures. We assessed 
these documents against our past reports on the Government Performance 
and Results Act of 1993 (GPRA) and the Standards for Internal Controls 
in the Federal Government.[Footnote 83] To further understand the 
strategic planning process and assessment of performance measures, we 
met with key FIMA and OPPA officials to discuss FEMA's and FIMA's past 
and future strategic planning efforts. 

* Human capital: To assess FEMA's workforce planning efforts, we 
reviewed the 2008-2012 Strategic Human Capital Plan and compared it 
with the requirements in the Post-Katrina Emergency Management Reform 
Act of 2006. We also evaluated FEMA's efforts based on guidelines on 
workforce planning from the National Aeronautics and Space 
Administration, our past reports on key principles for workforce 
planning, and written responses provided by FEMA's human capital 
office to questions we submitted. In addition, we analyzed the 
Consolidated Appropriations Act of 2010 to assess its contractor 
tracking requirements for December 2010. To determine turnover in key 
positions, we interviewed key FEMA staff regarding turnover in their 
departments and obtained and analyzed attrition data from the human 
capital office. To assess challenges in hiring, we reviewed 
documentation and interviewed human capital and other FEMA staff. In 
order to understand the information technology (IT) issues that the 
human capital office faces, we interviewed key human capital staff and 
analyzed reports and documents by the DHS OIG and NAPA. We also 
reviewed standards for continuity of operations plans and past GAO 
reports on business continuity plans. 

* Collaboration: To assess FEMA's efforts to encourage coordination 
between FIMA and the Mission Support offices, we compared the 
practices of these two offices to key practices that we identified in 
previous work for enhancing and sustaining a collaborative 
relationship among federal agencies.[Footnote 84] 

* Records management: To assess FEMA's records management efforts, we 
reviewed the National Archives and Records Administration standards, 
the Federal Records Act, the Paperwork Reduction Act, and the 
Standards for Internal Controls in the Federal Government. We reviewed 
FEMA and FIMA records management procedural documents, training 
materials, FEMA's previous records management policy, DHS's records 
management policy, and DHS OIG reports. We met with the Office of the 
Chief Administrative Officer, staff from the Records Management 
Division, and other relevant FEMA staff to further understand records 
management efforts. 

* Financial management: To assess FEMA's financial management 
processes for NFIP, we reviewed policy documents, training materials, 
reference materials, spreadsheets used in budget formulation, data 
information on past audits, and data on unliquidated obligations and 
compared them to findings in past KPMG LLC audits, DHS OIG reports, 
and our past reports on FEMA's financial management. We interviewed 
relevant staff from FIMA's and FEMA's financial offices to further 
understand financial management processes and efforts. 

* Acquisition: In order to assess FEMA's acquisition efforts, we 
obtained and analyzed FEMA's guidance for acquisition management and 
contractor oversight and compared them to the Federal Acquisition 
Regulation and to findings in the DHS OIG reports and our previous 
reports related to FEMA's acquisition efforts. We interviewed FEMA's 
Chief Procurement Officer and other relevant FEMA staff to assess 
acquisition efforts. We also attended contractor oversight meetings to 
better understand day-to-day contractor oversight activities. 

In addition, we worked at a FEMA audit site in its Arlington, 
Virginia, offices from January to April 2010. During that time, we 
held meetings with FIMA staff, obtained relevant documents, and 
attended day-to-day operational and contractor oversight review 
sessions. In order to gather additional information about NFIP reform 
efforts, we attended the NFIP Listening Session in November 2009 and 
the NFIP Reform Public Meeting in December 2010, both of which were 
held in Washington, D.C. 

To determine the extent to which the NextGen program's acquisition was 
effectively managed and overseen, we focused on the following 
acquisition management areas: (1) requirements development and 
management, (2) test management, (3) risk management, (4) human 
capital planning, and (5) program oversight. In doing so, we analyzed 
a range of program documentation, such as requirements documentation, 
test plans and reports, risk documentation, program management plan, 
and related documentation, and interviewed relevant program and 
contractor officials. 

* To determine the extent to which the program had effectively 
implemented requirements development and management, we reviewed 
relevant program documentation, such as the concept of operations 
document, NFIP operational manuals, requirements and design documents 
on NextGen applications, joint working group recommendation reports, 
change request forms, and the program management plan, and evaluated 
them against relevant guidance. Moreover, we reviewed briefing slides 
and meeting minutes from the NextGen Executive Decision Group. In 
addition, we interviewed program and development contractor officials 
to discuss the requirements development and management process. 

* To determine the extent to which the program effectively implemented 
test management activities we reviewed test plans for functional, 
regression, and usability testing and NextGen application summary test 
reports and compared them with best practices to determine whether 
test activities had been adequately documented and implemented. In 
addition, we interviewed program and contractor officials to discuss 
the test management process. 

* To determine the extent to which NextGen risks were effectively 
managed, we reviewed the most current NextGen risk management plan, 
risk lists, and monthly program status report. We also interviewed 
program and development contractor officials to discuss the risk 
management process. 

* To evaluate whether FEMA was adequately providing for the NextGen 
program office's human capital needs, we compared the program's 
efforts against relevant guidance. We also interviewed key officials 
to discuss workforce analysis and human capital planning efforts. 

* To determine the level of oversight given over NextGen we reviewed 
DHS's acquisition directive and guidebook and met with officials 
responsible for NextGen executive-level oversight to determine if 
oversight was effectively provided. 

To identify external factors that affected NFIP's ability to carry out 
its mission, we reviewed previous GAO reports that analyzed various 
aspects of NFIP's policies, practices, and organizational structure, 
identifying factors that affected NFIP's operations but over which 
NFIP did not have control. For example, we reviewed our reports on the 
oversight of the Write-Your-Own program, the financial impact of 
subsidized premium rates, and the rate-setting process for flood 
insurance premiums. To determine whether and to what extent the 
factors identified in these reports were still affecting NFIP's 
operations and to identify any additional factors, we interviewed FEMA 
representatives and reviewed relevant testimony of officials from FEMA 
and several interested associations before Congress. 

We conducted this performance audit from July 2009 to June 2011 in 
accordance with generally accepted government auditing standards. 
Those standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe 
that the evidence obtained provides a reasonable basis for our 
findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

May 6, 2011: 

Orice Williams Brown: 
Managing Director: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Re: Draft Report GA0-11-297, "FEMA: Action Needed to Improve 
Administration of the National Flood Insurance Program" 

Dear Ms. Brown: 

Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) and the Federal 
Emergency Management Agency (FEMA) appreciate the U.S. Government 
Accountability Office's (GAO's) work in planning and conducting its 
review and issuing this report. 

GAO has conducted more than 20 audits of the National Flood Insurance 
Program (NFIP) in recent years. These audits have focused on the 
actuarial soundness of the program, as well as FEMA's management of 
the insurance business operations. FEMA is currently working with
GAO to resolve open recommendations from previous reports and has 
undertaken a process to develop a set of reform proposals that will 
help resolve actuarial issues in the program. FEMA has also identified 
many of the same issues as GAO in the findings of this report and has 
implemented actions already underway that will address some of the 
recommendations made in this report. 

The report contained six recommendations. As discussed below, DHS 
concurs with all the recommendations. Specifically, to improve 
strategic planning, performance management, and program oversight 
within and related to NFIP, GAO recommended that the Secretary of DHS 
direct the FEMA Administrator to: 

Recommendation #1: Provide strategic direction and guidance to the 
process for developing a comprehensive strategy for FIMA operations; 
establish a firm timeframe for and complete the development of this 
strategy; and take steps to ensure that this strategy has appropriate 
performance goals and measures to track NFIP's progress. 

Response: Concur in principle. DHS believes it already has underway 
activities that will address the issues identified. FEMA has recently 
released its new Strategic Plan for FYs 2011—2014 that clearly lays 
out the Administrator's four strategic initiatives for the Agency to 
accomplish over the next 3 years. NFIP and the objectives for the 
program align with Initiative 1: Foster a Whole Community Approach to 
Emergency Management Nationally. FEMA's strategic plan comports with 
the spirit of the Government Performance and Results Act Modernization 
Act of 2010. "Initiative" describes what the Act refers to as "Goals," 
but the essential elements are there — goals, objectives, and desired 
outcomes. 

Further, FEMA has been working since last summer in support of FEMA's 
Strategic Plan 2011-2014, and consistent with the Agency's capstone 
doctrine, FEMA Publication 1 (Pub 1), to develop FEMA's Strategic Plan 
for Mitigation and Insurance, FY2012-2014. The development of this 
plan to-date has been a very collaborative process. The Plan will 
provide a strategic framework to enhance the way FEMA carries out its 
mitigation and insurance mission. It will act as a guiding document to 
more fully integrate mitigation and insurance programs and philosophy 
across the Agency; and to build and sustain collaboration with other 
Federal agencies; State, tribal, and local governments; communities; 
civic and faith-based organizations; and the public. It is meant to 
create a road map for success and also demonstrate what success looks 
like in order to engage and encourage staff, stakeholders, and the 
public in this mission. 

FEMA initiated the requirement for each directorate and office to 
submit annual operating plans that lay out the organization's key 
goals to accomplish in the upcoming year, how these goals link to the 
2011 — 2014 strategic plan, and the measures used to track the 
progress in achieving these goals and measure the outcomes. This 
requirement began in October 2010 for FY 2011. FEMA also initiated a 
new program to hold senior leaders accountable for their programs called
FEMAStat. This program was initiated in January 2011, and to date six 
programs have been reviewed. FEMAStat is based on the COMPSTAT model 
first developed in New York City for the police department. FEMAStat 
looks to ensure strategic alignment of the program with FEMA's 2011—
2014 strategic plan as described in the organization's operating plan 
and focuses on the performance measures used to track progress and 
measure outcomes achieved. 

FEMA's Federal Insurance and Mitigation Administration is in the 
process of aligning its annual operating plan, starting in FY 2012 to 
the FEMA Strategic Plan for Mitigation and Insurance to demonstrate 
progress toward meeting the top priority strategies outlined in the 
plan. FEMA will provide the FEMA Strategic Plan for Mitigation and 
Insurance as well as the Federal Insurance and Mitigation 
Administration FY 2012 Annual Operation Plan to GAO when completed. 

Recommendation #2: Develop a comprehensive workforce plan according to 
PKEMRA that identifies agency staffing and skills requirements, 
addresses turnover and staff vacancies, and analyzes FEMA's use of 
contractors. 

Response: Concur. DHS is already working to complete this task. FEMA 
submitted its first Post-Katrina Emergency Management Reform Act of 
2006-mandated Strategic Human Capital Plan (SHCP) to Congress on June 
5, 2008. Annual updates to that plan have been submitted in the form 
of an "operational plan" detailing action items designed to address 
the goals of the SHCP. 

Additionally, in 2009, FEMA along with the Homeland Security Studies 
and Analysis Institute (HSSAI) completed Phase I of an assessment to 
characterize the FEMA workforce in both steady state (normal day-to-
day operations) and disaster situations (when responding to an active 
disaster), in order to identify workforce requirements to achieve FEMA 
operational capabilities, identify gaps in the current workforce based 
on the identified requirements, and develop workforce plans, 
strategies, and tools to transform the current posture into the 
workforce of the future. 

Phase I (completed in FY 2010) was an "as is" baseline assessment of 
FEMA's current federal workforce, including all disaster reservists. 
The assessment provided FEMA with a snapshot of its federal workforce. 
In addition, the study characterized FEMA's human capital resources, 
what they do, and where they are located, geographically as well as 
functionally. 

For Phase II, FEMA has continued contracting with HSSAI. Phase II will 
build on the first phase by identifying requirements for shaping the 
workforce of the future to achieve FEMA's strategic goals. In 
addition, Phase II will analyze FEMA's regional operations, assess 
capability and capacity requirements, including conducting workforce 
gap analysis, and study the contract workforce. Specifically, Phase II 
will: 

* Identify future capability requirements and align human capital 
strategy with mission, goals, and/or organizational objectives; 

* Identify the appropriate size, grades, demographics, locations, 
functions, structure, and composition of the workforce needed to 
address current and future workload requirements; 

* Identify skill gaps or deficiencies that exist in mission critical 
occupations; 

* Develop and identify workforce strategies to overcome these skill 
gaps; 

* Identify the immediate manpower needs of FEMA's Regional Offices; 
and; 

* Identify and determine where FEMA's contract employees are located 
(geographically), what they do, their contributions to FEMA, and what 
the appropriate mix of contractors should be and their alignment to 
the functional pillars. 

Currently, HSSAI is in the process of conducting a literature search 
and review and is interviewing the senior leadership so the contractor 
understands the Agency's strategic direction. This will assist in 
determining the "to be" state and identifying the needed future 
workforce. FEMA will continue to work with HSSAI to complete this 
assessment. 

Recommendation #3: Direct the FIMA Acting Assistant Administrator to 
develop a plan for continuing NFIP operations when staff are deployed 
to respond to federal disasters. 

Response: Concur. DHS will develop consistent agency level guidance 
for component level business continuity plans. These plans will inform 
Component leadership on the deployment of FEMA Headquarters staff 
during catastrophic events so that program business functions will 
continue to operate, should the need arise. 

Recommendation #4: Direct the FIMA Acting Assistant Administrator and 
the FEMA Mission Support Associate Administrator to develop protocols 
to encourage and monitor collaboration between FIMA and relevant 
support offices, including those for information technology, 
acquisition management, and financial management. 

Response: Concur. In 2010 the Mission Support Bureau (MSB) began to 
conduct "listening sessions" with all FEMA program offices to better 
understand the needs of their customers and encourage collaboration 
between MSB and these offices. All items identified for action are 
responded to promptly and a follow-up plan is provided to the program 
office. All actions are closed out in a timely manner. As part of the 
MSB Customer Assurance Program, DHS's goals are to continue to ensure 
that FEMA customer organizations have a clear understanding of the 
resources, tools, and support MSB can provide. To reduce bureaucracy, 
streamline processes, and improve accountability and efficiency, DHS 
also monitors the conditions under which that support can be provided, 
and verifies that MSB processes, practices, and policies are well-
defined, clear, customer-focused, and support the efficient delivery 
of service. 

To improve FEMA's policies, procedures, and systems for achieving 
NFIP' s program goals, GAO recommended that the Secretary of DHS 
direct the FEMA Administrator to: 

Recommendation #5: 

* While waiting for DHS to implement an agency wide electronic 
document management system, consider the costs and benefits of 
implementing an interim system for FEMA and updating its document 
management policies and procedures; 

* Ensure that FEMA regularly reviews unliquidated obligations within 
NFIP-related funds; 

* Establish timelines for and complete the development and 
implementation of FEMA's revised acquisition process, in line with the 
DHS Acquisition Directive 102-01, including a rollout process with 
staff training and a mechanism to better ensure that all acquisitions 
undergo the necessary reviews; and; 

* Ensure that FEMA Mission Support's business process reengineering 
plans are expeditiously completed. 

Response: Concur. DHS highlights the following achievements and 
ongoing practices: 

* Continue to provide interim guidance and policy to program offices 
for records and document management while awaiting the implementation 
of the DHS-wide system. 

* In June 2009, FEMA published Interim CFO Directive 2600-008, 
Managing Open Obligations, to identify policies and procedures for 
quarterly reviews and annual certification of open obligations in 
order to properly report obligation balances, certify the validity of 
obligated balances and make funds available that otherwise might not 
be used, reduce the risk of misuse and theft of funds, and to improve 
the Treasury Department's ability to forecast outlay and borrowing 
needs. This directive applies uniformly to all FEMA program offices, 
including FIMA (FEMA's Federal Insurance and Mitigation 
Administration). 

* Continue to ensure that FEMA's revised acquisition process is in 
line with DHS Acquisition Directive 102-01. FEMA continues to make a 
major investment in improving its capability and capacity to manage 
contracts and oversee acquisition programs. FEMA's accomplishments in 
the acquisition process include: 

- Established and began staffing a 26-person Disaster Assistance 
Response Team to provide fully qualified acquisition personnel to 
major disaster sites to provide consistent and Federal Acquisition and 
Regulation (FAR)-compliant post-award contract administration on major 
response and recovery contracts (e.g., IA TAC, PA TAC) that pose high 
performance risks. 

- Established a Regional Branch to provide a functional reporting 
chain for all regional contract specialists to ensure the integrity of 
acquisition actions, provide standardized contract awards and 
administration, and ensure all acquisition personnel are supervised by 
progressive levels of experienced Contract Specialists. 

- Developed a FEMA Qualification System for all Disaster Assistance 
Employees in the Acquisition Cadre (to build upon the Credentialing 
System developed in calendar year 2010) that provides a framework for 
building a qualified acquisition cadre to make better and more 
consistent acquisition decisions. 

- Increased acquisition training opportunities through the use of Web-
based training, periodic in-house policy and training seminars, and 
self-directed "brown bag" training sessions where employees conduct a 
review of GAO cases to increase the rate of acquisition lessons 
learned. 

- Established a system of positive file controls to ensure 
availability and accountability of contract files. 

- With respect to the Contracting Officer Technical Representative 
(COTR) program, a tiered COTR certification system now exists to 
ensure that COTRs are properly trained and equipped to manage 
contracts, on the basis of size and complexity. COTRs are now 
certified at three levels, with Tier III being the highest level 
training. Today, there are a total of 1456 DHS certified COTRs, with 
79 being Tier II certified, 166 being Tier III certified and the 
remainder being Tier I certified. Approximately 260 COTRs are expected 
to be Tier II and III certified this year. 

- With respect to DHS certified Acquisition Program Managers (PMs), 
there are 169 certified PMs of which 94 are PM Level 1, 58 are PM 
Level 2, and 17 are PM Level 3 certified. Level 3 is the highest level. 

- FEMA established the position of Acquisition Advisor to the Federal 
Coordinating Officer (FCO) to provide needed visibility for the 
acquisition function in a disaster field office and to provide 
expedited acquisition expertise to the FCO, especially in the fast-
paced environment of the disaster response phase. This position was 
activated for the first time during the response to Hurricanes Gustav 
and Ike and proved to be quite successful in helping responders avoid 
unauthorized commitments, and expedite procurements to meet their 
response needs. 

- FEMA continues to make progress on acquisition management, balancing 
the use of prepositioned contracts with the requirements of Section 
307 of the Stafford Act, which pertains to requiring FEMA to contract 
with local vendors to the maximum extent possible when responding to a 
declared major disaster. FEMA established the Local Business 
Transition Team in response to Stafford Act Section 307 "Use of Local 
Finns and Individuals," which facilitates the transition of disaster 
requirements by assisting the Joint Field Office acquisition staff and 
programs with identifying requirements, assessing transition 
feasibility, and creating acquisition packages for contract award. 

- The Acquisition Operations Division of The Office of the Chief 
Procurement Officer, under which the majority of contracting officers 
and contract specialists are employed, has an 85-percent fill rate and 
continues to work to fill necessary positions. 

- FEMA will continue to improve its capabilities by recruiting, 
training, and retaining sufficient staff in all areas necessary to 
ensure preparedness for a catastrophic disaster, and working closely 
with the entire emergency management community. One of the most 
important ways this is achieved is through partnerships at the federal 
level. 

* In 2009, MSB, formerly the Management Directorate underwent a 
Business Process Improvement Initiative to provide the office with a 
broader, deeper understanding of the day-to-day processes our offices 
performs and identify areas for potential improvements across MSB. As 
part of this review, MSB documented the 'as is' of all core business 
processes, while identifying areas of efficiency and effectiveness. 
This resulted in MSB identifying and documenting the future state of 
these 'to be' processes to resolve issues, incorporate key controls, 
and reflect industry best practices. This as part of FEMA's strategic 
plan goal #5 "transforming into a results-oriented organization 
focused on performance, strong financial management, and continuous 
improvement of its business processes." As a result, the Agency will 
be better able to achieve greater: 

- Understanding: Increase visibility of core processes and develop 
shared understanding and clarity of what each process entails; 

- Efficiency: Free up bottlenecks and minimize redundancies across the 
enterprise; 

- Consistency: Establish repeatable, measurable, transferable 
processes and target goals; 

- Collaboration: Improve cross-MSB activities to enhance effectiveness 
of our resources, personnel, and programs. 

MSB has begun incorporating these lessons learned into our day-to-day 
operations, and continues to look for opportunities to reengineer our 
programs and process to provide the Timely, Positive, Accountable, and 
Dependable support, tools, and resources the FEMA team needs to build, 
sustain, and improve the capability to prepare for, protect against, 
respond to, recover from, and mitigate against all hazards. 

To improve the usefulness and reliability of NFIP's flood insurance 
policy and claims processing system, GAO recommended that the 
Secretary of DHS: 

Recommendation #6: 

* Direct the DHS Deputy Secretary, as the Chair of DHS's Acquisition 
Review Board, to provide regular oversight of FEMA's next attempt to 
modernize this system; and; 

* Direct the FEMA Administrator to ensure that FEMA's Chief 
Information Officer applies lessons learned from the NextGen 
experience to the next modernization attempt. At a minimum, this 
effort should ensure that (I) all levels of system requirement are 
complete and clear and that key stakeholders are adequately involved 
in requirements development and management, (2) key test events are 
effectively managed, (3) project risks are proactively identified and 
mitigated, and (4) project office staffing needs are properly assessed 
and met. 

Response: Concur. DHS is preparing an Acquisition Decision Memorandum 
to elevate NFIP from a Level 3 to a Level 2 Special Interest program. 
This will ensure that the program is designated for regular oversight 
by DHS's Acquisition Review Board (ARB). In addition to this 
designation, a formally established cross-functional Executive 
Steering Committee will convene immediately. FEMA has made a 
significant commitment to effectively overseeing its major acquisition 
activities through the creation of a FEMA ARB, which is now fully 
functional and supported by a staff of experts in acquisition program 
management. All major acquisitions now must pass through this rigorous 
review progress and are subject to periodic review by the ARB over the 
life of the contract. 

* The report reminds the Office of the Chief Information officer 
(OCIO) that the Agency's IT strategy needs to be updated and re-
communicated to FEMA's staff and program offices. Over the past 4 
years, FEMA OCIO has undertaken important initiatives and made great 
progress in modernizing IT infrastructure, services, and systems. 
These initiatives fall into three major functional areas: enterprise, 
business, and mission. OCIO has continued its modernization efforts 
and is applying lessons learned from the NextGen assessment to move 
forward, working alongside its business partner to better understand 
their program needs, and to conduct information gathering that will 
inform the development of the Statement of Work, test identified 
solutions, mitigate issues, and ensure adequate staffing to maintain 
systems. 

* Additionally, FEMA OCIO will continue to meet with senior leaders in 
enterprise, business, and mission areas to ensure IT investments 
support Agency mission goals. Meetings will be held on a quarterly 
basis, and the results of the meetings will be posted to the 
interactive IT strategy Website. 

Thank you for the opportunity to review and comment on this draft 
report. We look forward to working with you on future Homeland 
Security engagements. 

Sincerely, 

Signed by: 

Jim H. Crumpacker: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Orice Williams Brown, (202) 512-8678 or williamso@gao.gov. 

Staff Acknowledgments: 

In addition to the contact named above, Randy Hite (retired), 
Director; William Woods, Director; Patrick Ward, Assistant Director; 
Tonia Johnson, Assistant Director (in memoriam); Nima Patel Edwards; 
Christopher Forys; Elena Epps; and Emily Chalmers made significant 
contributions to this report. Other contributors included Tania 
Calhoun; William R. Chatlos; Jim Crimmer; Marc Molino; Freda Paintsil; 
Karl Seifert; and Christy Tyson. 

[End of section] 

Related GAO Products: 

Flood Insurance: Public Policy Goals Provide a Framework for Reform. 
[hyperlink, http://www.gao.gov/products/GAO-11-429T]. Washington, 
D.C.: March 11, 2011. 

FEMA Flood Maps: Some Standards and Processes in Place to Promote Map 
Accuracy and Outreach, but Opportunities Exist to Address 
Implementation Challenges. [hyperlink, 
http://www.gao.gov/products/GAO-11-17]. Washington, D.C.: December 2, 
2010. 

National Flood Insurance Program: Continued Actions Needed to Address 
Financial and Operational Issues. [hyperlink, 
http://www.gao.gov/products/GAO-10-1063T]. Washington, D.C.: September 
22, 2010. 

Homeland Security: US-VISIT Pilot Evaluations Offer Limited 
Understanding of Air Exit Options. [hyperlink, 
http://www.gao.gov/products/GAO-10-860]. Washington, D.C.: August 10, 
2010. 

Department of Homeland Security: Assessments of Selected Complex 
Acquisitions. [hyperlink, http://www.gao.gov/products/GAO-10-588SP]. 
Washington, D.C.: June 30, 2010. 

National Flood Insurance Program: Continued Actions Needed to Address 
Financial and Operational Issues. [hyperlink, 
http://www.gao.gov/products/GAO-10-631T]. Washington, D.C.: April 21, 
2010. 

Financial Management: Improvements Needed in National Flood Insurance 
Program's Financial Controls and Oversight. [hyperlink, 
http://www.gao.gov/products/GAO-10-66]. Washington, D.C.: December 22, 
2009. 

Homeland Security: Despite Progress, DHS Continues to Be Challenged in 
Managing Its Multi-Billion Dollar Annual Investment in Large-Scale 
Information Technology Systems. [hyperlink, 
http://www.gao.gov/products/GAO-09-1002T]. Washington, D.C.: September 
15, 2009. 

Flood Insurance: Opportunities Exist to Improve Oversight of the WYO 
Program. [hyperlink, http://www.gao.gov/products/GAO-09-455]. 
Washington, D.C.: August 21, 2009. 

Results-Oriented Management: Strengthening Key Practices at FEMA and 
Interior Could Promote Greater Use of Performance Information. 
[hyperlink, http://www.gao.gov/products/GAO-09-676]. Washington, D.C.: 
August 17, 2009. 

Information on Proposed Changes to the National Flood Insurance 
Program. [hyperlink, http://www.gao.gov/products/GAO-09-420R]. 
Washington, D.C.: February 27, 2009. 

High-Risk Series: An Update. [hyperlink, 
http://www.gao.gov/products/GAO-09-271]. Washington, D.C.: January 
2009. 

Homeland Security: U.S. Visitor and Immigrant Status Indicator 
Technology Program Planning and Execution Improvements Needed. 
[hyperlink, http://www.gao.gov/products/GAO-09-96]. Washington, D.C.: 
December 12, 2008. 

Department of Homeland Security: A Strategic Approach Is Needed to 
Better Ensure the Acquisition Workforce Can Meet Mission Needs. 
[hyperlink, http://www.gao.gov/products/GAO-09-30]. Washington, D.C.: 
November 19, 2008. 

Department of Homeland Security: Billions Invested in Major Programs 
Lack Appropriate Oversight. [hyperlink, 
http://www.gao.gov/products/GAO-09-29]. Washington, D.C.: November 18, 
2008. 

Flood Insurance: Options for Addressing the Financial Impact of 
Subsidized Premium Rates on the National Flood Insurance Program. 
[hyperlink, http://www.gao.gov/products/GAO-09-20]. Washington, D.C.: 
November 14, 2008. 

Tax Administration: IRS Needs to Strengthen Its Approach for 
Evaluating the SRFMI Data-Sharing Pilot Program. [hyperlink, 
http://www.gao.gov/products/GAO-09-45]. Washington, D.C.: November 7, 
2008. 

Flood Insurance: FEMA's Rate-Setting Process Warrants Attention. 
[hyperlink, http://www.gao.gov/products/GAO-09-12]. Washington, D.C.: 
October 31, 2008. 

Secure Border Initiative: DHS Needs to Address Significant Risks in 
Delivering Key Technology Investment. [hyperlink, 
http://www.gao.gov/products/GAO-08-1086]. Washington, D.C.: September 
22, 2008. 

National Flood Insurance Program: Financial Challenges Underscore Need 
for Improved Oversight of Mitigation Programs and Key Contracts. 
[hyperlink, http://www.gao.gov/products/GAO-08-437]. Washington, D.C.: 
June 16, 2008. 

Natural Catastrophe Insurance: Analysis of a Proposed Combined Federal 
Flood and Wind Insurance Program. [hyperlink, 
http://www.gao.gov/products/GAO-08-504]. Washington, D.C.: April 25, 
2008. 

National Flood Insurance Program: Greater Transparency and Oversight 
of Wind and Flood Damage Determinations Are Needed. [hyperlink, 
http://www.gao.gov/products/GAO-08-28]. Washington, D.C.: December 28, 
2007. 

National Disasters: Public Policy Options for Changing the Federal 
Role in Natural Catastrophe Insurance. [hyperlink, 
http://www.gao.gov/products/GAO-08-7]. Washington, D.C.: November 26, 
2007. 

Business Systems Modernization: Department of the Navy Needs to 
Establish Management Structure and Fully Define Policies and 
Procedures for Institutionally Managing Investments. [hyperlink, 
http://www.gao.gov/products/GAO-08-53]. Washington, D.C.: October 31, 
2007. 

Federal Emergency Management Agency: Ongoing Challenges Facing the 
National Flood Insurance Program. [hyperlink, 
http://www.gao.gov/products/GAO-08-118T]. Washington, D.C.: October 2, 
2007. 

National Flood Insurance Program: FEMA's Management and Oversight of 
Payments for Insurance Company Services Should Be Improved. 
[hyperlink, http://www.gao.gov/products/GAO-07-1078]. Washington, 
D.C.: September 5, 2007. 

Information Technology: FBI Following a Number of Key Acquisition 
Practices on New Case Management System, but Improvements Still 
Needed. [hyperlink, http://www.gao.gov/products/GAO-07-912]. 
Washington, D.C.: July 30, 2007. 

National Flood Insurance Program: Preliminary Views on FEMA's Ability 
to Ensure Accurate Payments on Hurricane-Damaged Properties. 
[hyperlink, http://www.gao.gov/products/GAO-07-991T]. Washington, 
D.C.: June 12, 2007. 

Coastal Barrier Resources System: Status of Development That Has 
Occurred and Financial Assistance Provided by Federal Agencies. 
[hyperlink, http://www.gao.gov/products/GAO-07-356]. Washington, D.C.: 
March 19, 2007. 

Budget Issues: FEMA Needs Adequate Data, Plans, and Systems to 
Effectively Manage Resources for Day-to-Day Operations. [hyperlink, 
http://www.gao.gov/products/GAO-07-139]. Washington, D.C.: January 19, 
2007. 

National Flood Insurance Program: New Processes Aided Hurricane 
Katrina Claims Handling, but FEMA's Oversight Should Be Improved. 
[hyperlink, http://www.gao.gov/products/GAO-07-169]. Washington, D.C.: 
December 15, 2006. 

Enterprise Architecture: Leadership Remains Key to Establishing and 
Leveraging Architectures for Organizational Transformation. 
[hyperlink, http://www.gao.gov/products/GAO-06-831]. Washington, D.C.: 
August 14, 2006. 

Information Technology: Customs Has Made Progress on Automated 
Commercial Environment System, but It Faces Long-Standing Management 
Challenges and New Risks. [hyperlink, 
http://www.gao.gov/products/GAO-06-580]. Washington, D.C.: May 31, 
2006. 

Homeland Security: Progress Continues, but Challenges Remain on 
Department's Management of Information Technology. [hyperlink, 
http://www.gao.gov/products/GAO-06-598T]. Washington, D.C.: March 29, 
2006. 

GAO's High-Risk Program. [hyperlink, 
http://www.gao.gov/products/GAO-06-497T]. Washington, D.C.: March 15, 
2006. 

Federal Emergency Management Agency: Challenges for the National Flood 
Insurance Program. [hyperlink, 
http://www.gao.gov/products/GAO-06-335T]. Washington, D.C.: January 
25, 2006. 

Results-Oriented Government: Practices That Can Help Enhance and 
Sustain Collaboration among Federal Agencies. [hyperlink, 
http://www.gao.gov/products/GAO-06-15]. Washington, D.C.: October 21, 
2005. 

Federal Emergency Management Agency: Improvements Needed to Enhance 
Oversight and Management of the National Flood Insurance Program. 
[hyperlink, http://www.gao.gov/products/GAO-06-119]. Washington, D.C.: 
October 18, 2005. 

Framework for Assessing the Acquisition Function at Federal Agencies. 
[hyperlink, http://www.gao.gov/products/GAO-05-218G]. Washington, 
D.C.: September 2005. 

Information Technology Investment Management: A Framework for 
Assessing and Improving Process Maturity. [hyperlink, 
http://www.gao.gov/products/GAO-04-394G]. Washington, D.C.: March 2004. 

Human Capital: Key Principles for Effective Strategic Workforce 
Planning. [hyperlink, http://www.gao.gov/products/GAO-04-39]. 
Washington, D.C.: December 11, 2003. 

Information Technology: A Framework for Assessing and Improving 
Enterprise Architecture Management (Version 1.1). [hyperlink, 
http://www.gao.gov/products/GAO-03-584G]. Washington, D.C.: April 2003. 

Tax Administration: IRS Needs to Further Refine Its Tax Filing Season 
Performance Measures. [hyperlink, 
http://www.gao.gov/products/GAO-03-143]. Washington, D.C.: November 
22, 2002. 

Internal Control Management and Evaluation Tool. [hyperlink, 
http://www.gao.gov/products/GAO-01-1008G]. Washington, D.C.: August 
2001. 

Determining Performance and Accountability Challenges and High Risks. 
[hyperlink, http://www.gao.gov/products/GAO-01-159SP]. Washington, 
D.C.: November 2000. 

Standards for Internal Control in the Federal Government. [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. Washington, D.C.: 
November 1999. 

Budget Issues: Budgeting for Federal Insurance Programs. [hyperlink, 
http://www.gao.gov/products/GAO/T-AIMD-98-147]. Washington, D.C.: 
April 23, 1998. 

Budget Issues: Budgeting for Federal Insurance Programs. [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-97-16]. Washington, D.C.: 
September 30, 1997. 

Agencies' Strategic Plans under GPRA: Key Questions to Facilitate 
Congressional Review. [hyperlink, 
http://www.gao.gov/products/GAO/GGD-10.1.16]. Washington, D.C.: May 
1997. 

[End of section] 

Footnotes: 

[1] GAO, GAO's High-Risk Program, [hyperlink, 
http://www.gao.gov/products/GAO-06-497T] (Washington, D.C.: Mar. 15 
2006). 

[2] KMPG LLC conducts the annual DHS financial statement audit. 

[3] Pub. L. No. 90-448, Title XIII, § 1302, 82 Stat. 476 (1968). 

[4] This number reflects the four components of the NFIP premium: (1) 
Building Coverage, (2) Contents Coverage, (3) Increased Cost of 
Construction Coverage, and (4) Federal Policy Fee. 

[5] GAO's 2009 high-risk list has designated Implementing and 
Transforming the Department of Homeland Security as a high-risk 
program. Also, see GAO, Department of Homeland Security: Actions Taken 
Toward Management Integration, but a Comprehensive Strategy Is Still 
Needed, [hyperlink, http://www.gao.gov/products/GAO-10-131] 
(Washington, D.C.: Nov. 20, 2009) and Department of Homeland Security: 
A Comprehensive and Sustained Approach Needed to Achieve Management 
Integration, [hyperlink, http://www.gao.gov/products/GAO-05-139] 
(Washington, D.C.: Mar. 16, 2005). 

[6] FIMA has three divisions with separate flood risk management 
functions: the Risk Analysis Division identifies flood risk, 
particularly through mapping efforts; the Risk Reduction Division 
involves flood plain management and manages a number of grant programs 
that help mitigate high-risk properties; and the Risk Insurance 
Division manages the insurance program. 

[7] During the course of this engagement, FEMA changed OCFO's 
reporting structure so that OCFO now reports directly to the FEMA 
administrator, as reflected in Figure 1 below. 

[8] FEMA, Strategic Plan, Fiscal Years 2011-2014, Publication 806, 
February 2011. 

[9] Pub. L No. 103-62, § 3, 107 Stat. 285 (1993), codified at 5 U.S.C. 
§ 306. GPRA was recently amended by the GPRA Modernization Act of 
2010, Pub. L. No. 111-352, 124 Stat. 3866 (2011). 

[10] See GAO, Agencies' Strategic Plans Under GPRA: Key Questions to 
Facilitate Congressional Review, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-10.1.16] (Washington, D.C.: May 
1997). 

[11] Senate Committee on Governmental Affairs, S. Rep. No. 103-58, 
103d Cong., 1st Sess. (1993), at 15. 

[12] See GAO, Standards for Internal Control in the Federal 
Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[13] See GAO, Tax Administration: IRS Needs to Further Refine Its Tax 
Filing Season Performance Measures, [hyperlink, 
http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22, 
2002). In this report, GAO developed nine attributes of performance 
goals and measures based on previously established GAO criteria. 

[14] See [hyperlink, http://www.gao.gov/products/GAO-03-143]. 

[15] FIMA officials said that FIMA previously required the regions and 
its three divisions to use and report on a much more robust set of 
performance measures--called "scorecards"--to supplement the five 
primary measures. However, when management changed in 2007, the 
measures were still new and staff were not yet using them. Current 
management no longer requires the regions and divisions to report 
these measures, and they have not been used since 2007. NFIP 
communities develop Hazard Mitigation Plans to understand the risks 
that hazards pose and include priorities for and strategies to avoid 
or minimize the undesired effects of hazards. 

[16] The Post-Katrina Emergency Management Reform Act of 2006 was 
enacted as Title VI of the Department of Homeland Security 
Appropriations Act, 2007, Pub. L. No. 109-295, 120 Stat. 1355 (2006). 

[17] National Academy of Public Administration (NAPA), FEMA's 
Integration of Preparedness and Development of Robust Regional 
Offices. (Washington, D.C.: October 2009). 

[18] See GAO, Human Capital: Key Principles for Effective Strategic 
Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] 
(Washington, D.C.: Dec. 11, 2003), and Budget Issues: FEMA Needs 
Adequate Data, Plans, and Systems to Effectively Manage Resources for 
Day-to-Day Operations, [hyperlink, 
http://www.gao.gov/products/GAO-07-139] (Washington, D.C.: Jan. 19, 
2007). 

[19] National Academy of Public Administration, FEMA's Integration of 
Preparedness and Development of Robust Regional Offices (Washington 
D.C.: October 2009). 

[20] Homeland Security Studies and Analysis Institute, FEMA's 
Workforce Baseline Assessment (Arlington, Va.: March 2010). 

[21] See Homeland Security Studies and Analysis Institute, Federal 
Emergency Management Agency Workforce Baseline Assessment, Final 
Report (Arlington, Va.: Mar. 31, 2010). 

[22] Pub. L. No. 111-117, § 743, 123 Stat. 3034, 3216 (2009). 

[23] Full-time equivalent (FTE) is a measure of employment used by the 
federal government to calculate the total number of regular, straight- 
time hours worked by employees divided by the number of compensable 
hours applicable to each fiscal year. 

[24] See [hyperlink, http://www.gao.gov/products/GAO-07-139]. 

[25] See Homeland Security Studies and Analysis Institute, Federal 
Emergency Management Agency Workforce Baseline Assessment, Final 
Report; (Arlington, Va.: Mar. 31, 2010). According to the Homeland 
Security Studies and Analysis Institute's March 2010 report, FEMA has 
approximately 9,000 temporary "surge" employees who were on call to 
respond to a disaster. In January 2010, half of these employees had 
declared themselves unavailable, and approximately 1,720 were deployed 
to 119 active disaster sites, leaving an actual surge capacity of 
around 2,800 staff. 

[26] The goal of business continuity planning management is to keep 
operations running in the event of a disruption to normal business 
practices. As a program, it includes activities such as planning, risk 
analysis, providing backup facilities, succession plans, and impact 
assessments. 

[27] See [hyperlink, http://www.gao.gov/products/GAO-07-139]. 

[28] See GAO, Results-Oriented Government: Practices That Can Help 
Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, 
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21, 
2005). 

[29] Within this overarching goal for participation by small business 
concerns are goals for small business concerns owned and controlled by 
service-disabled veterans, qualified HUBZone small business concerns, 
small business concerns owned and controlled by socially and 
economically disadvantaged individuals, and small business concerns 
owned and controlled by women. 15 U.S.C. § 644(g)(1). 

[30] The Head of Contracting Activity is a federal employee who, by 
position or appointment, is responsible for managing the entire 
acquisition function within an organizational element. This position 
is located within FEMA's Mission Support Bureau. 

[31] The Small Business Administration is responsible for assigning 
procurement center representatives (PCR) to major contracting offices 
at federal agencies to implement small business policies and programs. 
Each federal agency that has procurement authority is required to have 
an Office of Small and Disadvantaged Business Utilization (OSDBU) help 
oversee the agency's functions and duties related to the awarding of 
contracts and subcontracts to small and disadvantaged businesses. DHS 
requires its OSDBU to review every proposed new contract requirement 
estimated to exceed $100,000 and all modifications to contracts 
involving new work not required under the original contract. DHS also 
requires its PCR to review all purchases greater than $2 million. 

[32] FIMA staff also said that FEMA's attorneys had not allowed them 
to require that contractors have specific flood insurance experience. 
The attorneys said that doing so would improperly restrict competition 
and added they did not believe that the insurance experience required 
for contracts needed to be specifically with flood insurance. 

[33] DHS Office of the Inspector General, Independent Auditor's Report 
on DHS' FY 2009 Financial Statements and Internal Control over 
Financial Reporting, OIG-10-11 (Washington, D.C.: Nov. 13, 2009). 

[34] DHS Office of the Inspector General, Independent Auditors' Report 
on DHS' FY 2010 Financial Statements and Internal Control over 
Financial Reporting, OIG-11-09 (Washington, D.C.: Nov. 12, 2010). 

[35] NARA is an independent agency that oversees management of federal 
government records including presidential libraries and historic 
collections. 

[36] For purposes of federal records management laws and regulations, 
"records" include all books, papers, maps, photographs, machine 
readable materials, or other documentary materials, regardless of 
physical form or characteristics, made or received by an agency of the 
United States government under federal law or in connection with the 
transaction of public business and preserved or appropriate for 
preservation by that agency or its legitimate successor as evidence of 
the organization, functions, policies, decisions, procedures, 
operations, or other activities of the government or because of the 
informational value of the data in them. 44 U.S.C. § 3301. 

[37] A file plan is a comprehensive outline that includes the records 
series, file organization, active file locations, file transfer 
instructions, file retention and disposition instructions, and other 
specific instructions that provide guidance for effective management 
of records, including vital records. 

[38] Federal records management laws and regulations include 
provisions in chapters 21, 29, 31, and 33 of Title 44 of the U.S. 
Code, and their implementing regulations, as well as the Paperwork 
Reduction Act of 1980, as amended, 44 U.S.C. §§ 3501 et seq. 

[39] DHS Office of the Inspector General, Department of Homeland 
Security's Acquisition Data Management Systems, OIG-10-42 (Washington, 
D.C.: Jan. 25, 2010) and Challenges Facing FEMA's Disaster Contract 
Management, OIG-09-70 (Washington, D.C.: May 8, 2009). 

[40] See GAO, Financial Management: Improvements Needed in National 
Flood Insurance Program's Financial Controls and Oversight, 
[hyperlink, http://www.gao.gov/products/GAO-10-66] (Washington, D.C.: 
Dec. 22, 2009). 

[41] An unliquidated obligation, also called an undelivered order, is 
the value of goods and services ordered and obligated that have not 
been received. This amount may also include any orders for which 
advance payment has been made but for which delivery or performance 
has not yet occurred. 

[42] The $3.0 million includes about $61,000 that has been identified 
to be deobligated, $739,000 that is currently under review, and $2.17 
million that requires review to close. Further, the current $3.3 
million had decreased from $10.2 million in May 2010. 

[43] DHS Management Directive No.1400, Investment Review Process, 
Draft Version 2.0 (March 2006). 

[44] The NextGen system was intended to (1) collect data to determine 
premium rates, (2) collect data on flood claims, (3) track the 
progress of policies and claims, and (4) prepare legislatively 
mandated reports for Congress. 

[45] DHS Acquisition Directive No. 102-01, Draft Version 1.9 (Nov. 7, 
2008) and DHS Acquisition Management Directive No. 102-01, (Jan. 20, 
2010). 

[46] While FEMA currently lacks its own acquisition directive, it is 
still expected to adhere to the DHS guidance. 

[47] The DHS ARB is required for acquisition programs at or above $300 
million in life cycle costs and enterprise service contracts at or 
above $100 million in annual expenditure. 

[48] These programs include Disaster Assistance Improvement Plan 
(DAIP), Grants Management Integrated Environment (GMIE), Housing 
Inspection Services (HIS), Integrated Public Alert and Warning System 
(IPAWS), Logistics Supply Chain Management System (LSCMS), Mt. Weather 
Emergency Operations Center (MWEOC), National Medical Transport and 
Support Contract (NMTSC), Responder Support Camp (RSC), and Risk 
Mapping Assessment and Planning (RiskMAP). 

[49] See GAO, National Flood Insurance Program: Financial Challenges 
Underscore Need for Improved Oversight of Mitigation Programs and Key 
Contracts, [hyperlink, http://www.gao.gov/products/GAO-08-437] 
(Washington, D.C.: June 16, 2008). 

[50] DHS Office of the Inspector General, Department of Homeland 
Security's Acquisition Data Management Systems, OIG-10-42 (Washington, 
D.C.: Jan. 25, 2010). 

[51] FEMA, Directive FD 228-1, Contracting Officer's Technical 
Representative (COTR) (Sept. 28, 2009). 

[52] FEMA, Contracting Officer's Technical Representative (COTR) 
Handbook, Version 1 (February 2009). 

[53] According to FEMA, about 95 percent of NFIP policies are written 
by insurance agents who represent private insurance companies that 
issue policies and process flood claims under their own names (write- 
your-own, or WYO, insurers). The other 5 percent of the policies are 
sold and serviced by state-licensed insurance agents and brokers that 
rely on FEMA for claims processing. 

[54] Carnegie Mellon Software Engineering Institute, Capability 
Maturity Model®Integration for Development, Version 1.2 (Pittsburgh, 
Penn.: Aug. 2006). The Capability Maturity Model® Integration for 
Development (CMMI), developed by the Software Engineering Institute of 
Carnegie Mellon University, defines key practices that are recognized 
hallmarks for successful organizations that, if effectively 
implemented, can greatly increase the chances of successfully 
developing and acquiring software and systems. 

[55] FEMA, National Flood Insurance Program Flood Insurance Manual 
(May 2006); National Flood Insurance Program Specific Rating 
Guidelines (May 2008); and National Flood Insurance Program 
Transaction Record Reporting and Processing (TRRP) Plan for the Write 
Your Own (WYO) Program (May 2006). 

[56] FEMA, FEMA Enterprise Applications Development, Integration, and 
Sustainment, Requirements Validation Document of Findings, NFIP-WO28 
(Washington, D.C.: Jan. 18, 2010). 

[57] See GAO, Secure Border Initiative: DHS Needs to Address 
Significant Risks in Delivering Key Technology Investment, [hyperlink, 
http://www.gao.gov/products/GAO-08-1086] (Washington, D.C.: Sept. 22, 
2008). 

[58] Software Engineering Institute, Capability Maturity Model 
Integration for Acquisition, version 1.2 (Pittsburgh, Pa.: November 
2007); and Institute of Electrical and Electronics Engineers, Standard 
829-2008 Software and System Test Documentation (New York, N.Y.: July 
18, 2008). 

[59] Institute of Electrical and Electronics Engineers, Inc., 
Standards for Software and System Test Documentation, IEEE Std. 829-
2008 (New York, N.Y.: July 18, 2008). 

[60] The COTR reviews contractor performance regularly, ensures that 
contractual milestones are met and standards are being maintained, 
conducts regular inspections of contractor deliverables throughout the 
contract period, and ensures that all contract conditions and clauses 
are acted upon. 

[61] GAO, Tax Administration: IRS Needs to Strengthen Its Approach for 
Evaluating the SFRMI Data-Sharing Program, [hyperlink, 
http://www.gao.gov/products/GAO-09-45] (Washington, D.C.: Nov. 7, 
2008) and Homeland Security: US-VISIT Pilot Evaluations Provide 
Limited Understanding of Air Exit Options, [hyperlink, 
http://www.gao.gov/products/GAO-10-860] (Washington, D.C.: Aug. 10, 
2010). 

[62] Software Engineering Institute, Capability Maturity Model 
Integration for Acquisition, version 1.2 (Pittsburgh, Pa.: November 
2007); and Institute for Electrical and Electronics Engineers, 
Standard 829-2008 Software and System Test Documentation (New York, 
N.Y.: July 18, 2008). 

[63] Office of Management and Budget, Capital Planning Guide: 
Supplement to Circular A-11, part 7, (Washington D.C.: June 2006). 

[64] See GAO, Homeland Security: U.S. Visitor and Immigrant Status 
Indicator Technology Program Planning and Execution Improvements 
Needed, [hyperlink, http://www.gao.gov/products/GAO-09-96] (Washington 
D.C.: Dec. 12, 2008). 

[65] DHS, Improvement Needed in FEMA's Management of the National 
Flood Insurance Program's Information Technology Transition, OIG-10-76 
(Washington, D.C.: Mar. 31, 2010). 

[66] See GAO, Information Technology: FBI Following a Number of Key 
Acquisition Practices on New Case Management System, but Improvements 
Still Needed, [hyperlink, http://www.gao.gov/products/GAO-07-912] 
(Washington, D.C.: July 30, 2007) and Information Technology: Customs 
Has Made Progress on Automated Commercial Environment System, but It 
Faces Long-Standing Management Challenges and New Risks, [hyperlink, 
http://www.gao.gov/products/GAO-06-580] (Washington, D.C.: May 31, 
2006). 

[67] See GAO, Homeland Security: Despite Progress, DHS Continues to Be 
Challenged in Managing Its Multi-Billion Dollar Annual Investment in 
Large-Scale Information Technology Systems, [hyperlink, 
http://www.gao.gov/products/GAO-09-1002T] (Washington, D.C.: Sept. 15, 
2009); Homeland Security: Progress Continues, but Challenges Remain on 
Department's Management of Information Technology, [hyperlink, 
http://www.gao.gov/products/GAO-06-598T] (Washington, D.C.: Mar. 29, 
2006); and Business Systems Modernization: Department of the Navy 
Needs to Establish Management Structure and Fully Define Policies and 
Procedures for Institutionally Managing Investments, [hyperlink, 
http://www.gao.gov/products/GAO-08-53] (Washington, D.C.: Oct. 31, 
2007). 

[68] DHS, Acquisition Directive 102-01, Interim Version 1.9 
(Washington, D.C.: Nov. 7, 2008) and Acquisition Instruction/Guidebook 
102-01-01, Interim Version 1.9 (Washington, D.C.: Nov. 7, 2008). 

[69] Generally, repetitive loss properties are those that have had two 
or more flood insurance claims payments of $1,000 or more over a 
period of 10 years. 

[70] NFIP's Direct Servicing Agent program collects premiums, 
underwrites and produces policies, and settles claims for policies 
that insurance agents obtain for property owners directly from NFIP 
rather than through a WYO insurer. 

[71] FEMA has three separate mitigation grant programs, each with 
different types of requirements, purposes, and appropriations: the 
Flood Mitigation Assistance Program (FMA), the Repetitive Flood Claims 
Program (RFC), and the Severe Repetitive Loss Program (SRL). Moreover, 
the Hazard Mitigation Grant Program (HMGP) and the Pre-Disaster 
Mitigation Program (PDM) are two additional hazard mitigation programs 
that are not specific to flooding. 

[72] Mandatory spending refers to outlays resulting from budget 
authority that is provided in laws other than appropriation acts, 
while discretionary spending is provided in and controlled by 
appropriation acts. 

[73] As of February 2011, FIMA did not have an appointed 
administrator. FIMA has had an acting administrator since April 2009. 

[74] See GAO, Flood Insurance: Options for Addressing the Financial 
Impact of Subsidized Premium Rates on the National Flood Insurance 
Program, [hyperlink, http://www.gao.gov/products/GAO-09-20] 
(Washington, D.C.: Nov. 14, 2008). 

[75] See GAO, Budget Issues: Budgeting for Federal Insurance, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-97-16] (Washington, 
D.C.: Sept. 30, 1997). 

[76] See [hyperlink, http://www.gao.gov/products/GAO-09-20]. 

[77] NFIP's PRP offers low-cost flood insurance to owners and tenants 
of residential and nonresidential buildings located in moderate-to low-
risk areas as long as the property has not, within any 10-year period, 
incurred two or more flood insurance claim payments or disaster relief 
payments (including loans and grants), each more than $1,000. 

[78] The National Flood Insurance Act of 1968, as amended, authorizes 
FEMA to carry out NFIP to enable persons to buy insurance against 
losses arising from flood. The statute defines flood as including 
sudden, flood-event-triggered collapses or subsidences of land along 
the shore of a body of water, but the statute's definition of flood 
does not include the gradual, long-term erosion that may endanger 
coastal communities. See 42 U.S.C. §§ 4001, 4002 and 4121(c). 

[79] Bunning-Bereuter-Blumenauer Flood Insurance Reform Act of 2004, 
Pub. L. No. 108-264, 118 Stat. 712 (2004). The act amended the 
existing definition of the term "repetitive loss structure" to the 
current one: a structure covered by a contract for flood insurance 
that has incurred flood-related damage on two occasions, in which the 
cost of repair, on the average, equaled or exceeded 25 percent of the 
value of the structure at the time of each such flood event; and at 
the time of the second incidence of flood-related damage, the contract 
for flood insurance contains increased cost of compliance coverage, 
which can help property owners pay for the cost of mitigation measures 
for flood-damaged properties. 42 U.S.C. § 4121(a). 

[80] See GAO, National Disasters: Public Policy Options for Changing 
the Federal Role in Natural Catastrophe Insurance, [hyperlink, 
http://www.gao.gov/products/GAO-08-7] (Washington, D.C.: Nov. 26, 
2007). 

[81] See [hyperlink, http://www.gao.gov/products/GAO-09-20]. 

[82] Homeland Security Studies and Analysis Institute (HSSAI), FEMA 
Workforce Baseline Assessment (Arlington, Va.: Mar. 31, 2010). 

[83] See GAO, Agencies' Strategic Plans Under GPRA: Key Questions to 
Facilitate Congressional Review, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-10.1.16] (Washington, D.C.: May 
1997) and Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[84] See GAO, Results-Oriented Government: Practices That Can Help 
Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, 
http://www.gao.gov/products/GAO-06-15] (Washington, D.C.: Oct. 21, 
2005). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: