"Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," Skinner wrote in the report. "In addition, EP&R may not be able to recover NEMIS following a disaster."

The report called on FEMA to create adequate NEMIS user-access controls and urged it to implement an IT contingency training and testing program for the system. Skinner also said FEMA must develop corrective action plans to address vulnerabilities in NEMIS.

In a formal response to the report, FEMA officials said that they agreed with the recommendations in the draft report received last summer and that they are moving to correct the deficiencies. But Skinner said FEMA has not yet offered a specific plan to address 56 deficiencies and noted that EP&R has still not fully aligned its security program with DHS's overall policies, procedures or practices.

"For example, security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training," Skinner wrote.

The NEMIS database, which was implemented in 1998, was designed and developed by Fairfax, Va.-based systems integrator Anteon Corp., using Oracle Corp.'s relational database management system, according to Anteon's Web site. The vendor information was redacted from Skinner's report.