DHS disaster-response database falls short

IG cites lack of security, continuity plans

The Homeland Security Department's primary database for emergency preparedness and response lacks adequate continuity-of-operations plans and protections for sensitive data, DHS' inspector general has concluded in a new report.

Run by the department's Emergency Preparedness and Response Directorate, the National Emergency Management Information System (NEMIS) tracks incident coordination efforts. Officials use the database for activities such as managing disbursements to disaster victims and spending on recovery efforts at the federal and state levels.

Richard Skinner, DHS' IG, wrote in the report released Nov. 7 that "due to database security exposures, there is an increased risk that unauthorized individuals could gain access to critical [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data." He noted that the directorate might not be able to recover the database after a disaster.

The report is another black eye for the directorate that includes the Federal Emergency Management Agency and oversees national efforts to prepare for and respond to disasters. Congress and the public recently criticized DHS and FEMA for their response to Hurricane Katrina, which devastated the Gulf Coast in August.

The IG's report recommends that Barry West, FEMA's chief information officer, fix all remaining vulnerabilities and guarantee that appropriate access-control measures are in place. The CIO's office should also create and implement annual contingency training and testing programs, the IG report states.

In his written response -- which was dated Aug. 10, nearly three weeks before Katrina hit New Orleans -- West said his office had implemented 71 of the 100 security improvements the IG had suggested. West said the report spurred him to mandate annual independent security assessments of NEMIS starting in fiscal 2006.

NEMIS' lack of data security could put thousands of Americans' personal information at risk, said Jennifer Kerber, director of homeland security at the Information Technology Association of America.

The lack of sufficient security and backup procedures for NEMIS data is alarming but not entirely surprising, Kerber said. Poor access control has led to major data breaches in the private sector, she said. "You would find a lot of places don't have as secure a database as they think they do," she added.

"I'm surprised, if [NEMIS] is responsible for that amount of activity, [that] it is not more well-protected," said Mark Ghilarducci, vice president of James Lee Witt Associates, an emergency-management consulting firm. Previously, Ghilarducci was a deputy director at the Governor's Office of Emergency Services in California.

During emergencies, FEMA hires thousands of temporary workers who need access to NEMIS and other computer systems, Ghilarducci said. The directorate needs to create a robust gatekeeping system and ensure that users cannot access the systems after they leave FEMA, he said.

The directorate also should conduct thorough audits of its IT systems to prevent attacks, Ghilarducci said. European hackers once hid pornography on Office of Emergency Services' servers, he said, but the diligence of the IT security staff led to the discovery and removal of the material. Without conscientious auditing, NEMIS might not find that kind of intrusion as quickly, he said.

In its defense, Ghilarducci said, FEMA is suffering from a loss of expertise and funding. "There's no excuse for [their NEMIS performance], but I understand the challenges they face," he said.

Database deficiency diagnosis

The Homeland Security Department's inspector general has found a number of security weaknesses in how DHS' Emergency Preparedness and Response Directorate manages one of its primary databases, the National Emergency Management Information System (NEMIS).

The IG found that the directorate:

  • Lacks effective processes to ensure only the right people have proper access to NEMIS. The system's servers have vulnerabilities associated with access rights, password administration, configuration management and other issues. Those vulnerabilities could make NEMIS operations and data susceptible to cyberattacks.

  • Lacks sufficient procedures to audit NEMIS operations, which increases the risk that the directorate would not be able to detect or quickly investigate illegal access or malicious changes to data.

  • Has not tested the information technology contingency plan for NEMIS or trained employees to use that plan and does not store NEMIS backup tapes in waterproof and fireproof containers.

  • Fails to comply with four requirements of the Federal Information Security Management Act of 2002 and with DHS' overall security policies, procedures and practices.

    -- Michael Arnone

  • The 2014 Federal 100

    FCW is very pleased to profile the women and men who make up this year's Fed 100. 

    Reader comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above