GAO: FEMA needs framework to improve IT systems
According to the Government Accountability Office, FEMA needs to develop a governing framework for the oversight and modernization of IT investments.
The Federal Emergency Management Agency needs to develop a governing framework for the oversight and modernization of IT investments, and needs to address holes in its tech workforce, according to a Government Accountability Office report released May 5. Not doing so limits the agency's ability to adequately respond to major disaster, GAO said.
The review was launched to assess FEMA's progress in satisfying requirements of the 2006 Post-Katrina Emergency Management Reform Act, which mandated assessing and upgrading the agency's IT programs to aid its responses to emergency situations.
The findings track with a Department of Homeland Security inspector general report from November 2015, although improvements in IT modernization were noted by GAO auditors.
FEMA established an investment review board to examine IT purchases, and has made progress in modernizing its IT systems, GAO found. However, the report observed that the review board lacks fully defined responsibilities for members and working groups as well as clearly defined procedures for investment selection, that the IT strategic plan is outdated, and that the agency's IT modernization plan to eliminate aging and duplicative systems is incomplete.
The report also raises concerns that FEMA has not provided time frames to fulfill recommended actions regarding workforce management challenges, including an evaluation of its IT staffers.
As a result, the report stated, "the agency lacks adequate visibility into and oversight of IT investment decisions and activities… is limited in its ability to move toward its goal to modernize its systems and eliminate duplicative IT investments" and "has less assurance that its IT workforce will have the skills needed to successfully manage its programs."
Additionally, three emergency management programs reviewed by GAO were burdened with technical deficiencies in their risk management practices. All three programs had identified these risks, but none had developed a satisfactory mitigation plan.
"These weaknesses were due, in part, to a lack of FEMA policies to guide programs in implementing these key IT management controls," the report stated.
GAO recommended that FEMA define the roles of the investment board and associated entities, update its IT strategic plan and finalize its IT modernization plan and determine a timeframe to address workforce management challenges.
DHS concurred with the recommendations, and provided specific corrective action plans which are scheduled to be put in place by the end of 2016.