Security of FEMA Database Questioned

The U.S. Federal Emergency Management Agency has not establishedadequate controls over sensitive data in its National EmergencyManagement Information System (NEMIS), according to a redacted reportreleased Monday by Robert Skinner, inspector general of the U.S.Department of Homeland Security.

FEMA is now part of the DHS’s Emergency Preparedness and Response (EP&R) Directorate.

Although the agency, which came under fire for its slow response toHurricane Katrina in late August, has developed and maintained manyessential security controls for NEMIS, more work needs to be done toprotect the database, according to Skinner’s report.

Specifically, FEMA hasn’t implemented effective procedures forgranting, monitoring and removing user access, nor has it conductedcontingency training or testing, Skinner said. In addition,vulnerabilities were found on NEMIS servers related to access rightsand password administration.

NEMIS allows incident tracking and coordination, is used by individualsand small businesses that apply for federal assistance, and processesrequests from states for funding of hazard mitigation projects.

“Due to these database security exposures, there is an increased riskthat unauthorized individuals could gain access to critical EP&Rdatabase resources and compromise the confidentiality, integrity andavailability of sensitive NEMIS data,” Skinner wrote in the report. “Inaddition, EP&R may not be able to recover NEMIS following adisaster.”

He called on FEMA to make sure adequate controls over user access toNEMIS are put in place and urged it to implement an IT contingencytraining and testing program for NEMIS. He also said FEMA needs todevelop corrective action plans to address the vulnerabilities andweaknesses Skinner found.

In response to a draft of the report, FEMA officials agreed withSkinner’s recommendations and said they are moving to correct thedeficiencies. Even so, Skinner said FEMA did not offer up a specificplan to address 56 deficiencies, and noted that EP&R has not fullyaligned its security program with DHS’s overall policies, procedures orpractices.

“For example, security controls had not been tested in over a year; acontingency plan has not been tested; security control costs have notbeen integrated into the life cycle of the system; and system anddatabase administrators have not obtained specialized securitytraining,” Skinner wrote.

The NEMIS database, which was implemented in 1998, was designed anddeveloped by Fairfax, Va.-based Anteon Corp., using Oracle Corp.’srelational database management system. Although that information wasredacted from Skinner’s report, it was available at Anteon’s Web site.

NEMIS replaced FEMA’s legacy system with a fully integratedclient/server architecture consisting of more than 31 networked serversinstalled nationwide, according to Anteon.

By Linda Rosencrance – Computerworld (US online)