The Federal Emergency Management Agency’s (FEMA) IT programs lack support the agency needs in order to respond to major disasters, GAO finds.
FEMA faces challenges in governance and oversight, IT modernization, and workforce planning. While FEMA has an investment review board for its IT purchases, the roles are not clearly defined, leading to confusion on which IT programs are being purchased and used.
FEMA has also taken steps toward IT modernization, but its planning documents are incomplete. The report points to an example of a strategic IT plan for the chief information officer (CIO) which “describes the CIO’s mission, goals, and objectives through fiscal year 2016, but has not been updated since 2013.” The Office of the CIO is still drafting modernization plan as well, leaving the agency unable to advance until these plans are finalized.
Lastly, FEMA needs to address long-standing workforce management challenges. The agency has completed a workforce assessment on the skills of employees in the Office of the CIO, but has not acted on the recommendations following the assessment. GAO found “FEMA has less assurance that its IT workforce will have the skills needed to successfully manage its programs.”
GAO reviewed three emergency management programs, none of which had fully applied IT controls in the following areas: risk management, requirements development, project planning, and systems testing and integration. These programs have inconsistently applied these practices due to a lack of FEMA policies guiding successful use of key IT initiatives.
After Hurricane Katrina–the largest natural disaster in U.S. history–Congress passed the Post-Katrina Emergency Management Reform Act of 2006. The GAO report states, “This act required FEMA to address shortcomings identified in the preparation for and response to Katrina, including improving the agency’s IT programs, which are critical to its ability to respond to natural disasters and other emergencies.” GAO reviewed FEMA’s IT system improvement efforts, to see how they have progressed since Hurricane Katrina.
GAO recommends FEMA defines the role of its investment board; updates its plans for IT modernization; sticks to an established time frame and establishes guidelines for putting IT management controls to use.
Lastly, GAO laid out the following recommendations for Executive Action:
- Clearly define and carry out roles and responsibilities for the IT Governance Board.
- Determine the scope, strategy, and timeline for updating IT systems.
- Establish time frames for current and future IT workforce planning during modernization efforts.
- Identify problems before they occur with a risk management process.
- Establish a requirements management process.
- Define an overall budget and schedule, along with an approach to maintain these plans.
- Create a systems integration plan for all relevant participants.
- Determine guidelines for executing key management practices.