FEMA, the agency that came under fire for its slow response to Hurricane Katrina in late August, is part of the DHS's Emergency Preparedness and Response (EP&R) Directorate.
Since the agency received the report from DHS Inspector General Robert Skinner in early August, it has developed and maintained many essential security controls for NEMIS, but much more work needs to be done, the report said.
Specifically, the report said that FEMA must implement effective procedures for granting, monitoring and removing user access to the data. The agency must also improve staff contingency training and testing, Skinner said.
In addition, the report cited vulnerabilities on NEMIS servers related to access rights and password administration that must be fixed.
NEMIS, which tracks potential disasters and coordinates response operations, is used by individuals and small businesses to apply for federal assistance. It also processes requests from states for funding of hazard mitigation projects.
"Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," Skinner wrote in the report. "In addition, EP&R may not be able to recover NEMIS following a disaster."
The report called on FEMA to create adequate NEMIS user-access controls and urged it to implement an IT contingency training and testing program for the system. Skinner also said FEMA must develop corrective action plans to address vulnerabilities in NEMIS.
In a formal response to the report, FEMA officials said that they agreed with the recommendations in the draft report received last summer and that they are moving to correct the deficiencies. But Skinner said FEMA has not yet offered a specific plan to address 56 deficiencies and noted that EP&R has still not fully aligned its security program with DHS's overall policies, procedures or practices.
"For example, security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training," Skinner wrote.
The NEMIS database, which was implemented in 1998, was designed and developed by Fairfax, Va.-based systems integrator Anteon Corp., using Oracle Corp.'s relational database management system, according to Anteon's Web site. The vendor information was redacted from Skinner's report.
At that time, NEMIS replaced FEMA's legacy system with an integrated client/server architecture consisting of more than 31 networked servers installed nationwide, according to Anteon.