DHS disaster-response database falls short

IG cites lack of security, continuity plans

The Homeland Security Department's primary database for emergency preparedness and response lacks adequate continuity-of-operations plans and protections for sensitive data, DHS' inspector general has concluded in a new report.

Run by the department's Emergency Preparedness and Response Directorate, the National Emergency Management Information System (NEMIS) tracks incident coordination efforts. Officials use the database for activities such as managing disbursements to disaster victims and spending on recovery efforts at the federal and state levels.

Richard Skinner, DHS' IG, wrote in the report released Nov. 7 that "due to database security exposures, there is an increased risk that unauthorized individuals could gain access to critical [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data." He noted that the directorate might not be able to recover the database after a disaster.

The report is another black eye for the directorate that includes the Federal Emergency Management Agency and oversees national efforts to prepare for and respond to disasters. Congress and the public recently criticized DHS and FEMA for their response to Hurricane Katrina, which devastated the Gulf Coast in August.

The IG's report recommends that Barry West, FEMA's chief information officer, fix all remaining vulnerabilities and guarantee that appropriate access-control measures are in place. The CIO's office should also create and implement annual contingency training and testing programs, the IG report states.

In his written response -- which was dated Aug. 10, nearly three weeks before Katrina hit New Orleans -- West said his office had implemented 71 of the 100 security improvements the IG had suggested. West said the report spurred him to mandate annual independent security assessments of NEMIS starting in fiscal 2006.

NEMIS' lack of data security could put thousands of Americans' personal information at risk, said Jennifer Kerber, director of homeland security at the Information Technology Association of America.

The lack of sufficient security and backup procedures for NEMIS data is alarming but not entirely surprising, Kerber said. Poor access control has led to major data breaches in the private sector, she said. "You would find a lot of places don't have as secure a database as they think they do," she added.

"I'm surprised, if [NEMIS] is responsible for that amount of activity, [that] it is not more well-protected," said Mark Ghilarducci, vice president of James Lee Witt Associates, an emergency-management consulting firm. Previously, Ghilarducci was a deputy director at the Governor's Office of Emergency Services in California.

During emergencies, FEMA hires thousands of temporary workers who need access to NEMIS and other computer systems, Ghilarducci said. The directorate needs to create a robust gatekeeping system and ensure that users cannot access the systems after they leave FEMA, he said.

The directorate also should conduct thorough audits of its IT systems to prevent attacks, Ghilarducci said. European hackers once hid pornography on Office of Emergency Services' servers, he said, but the diligence of the IT security staff led to the discovery and removal of the material. Without conscientious auditing, NEMIS might not find that kind of intrusion as quickly, he said.

In its defense, Ghilarducci said, FEMA is suffering from a loss of expertise and funding. "There's no excuse for [their NEMIS performance], but I understand the challenges they face," he said.

Database deficiency diagnosis

The Homeland Security Department's inspector general has found a number of security weaknesses in how DHS' Emergency Preparedness and Response Directorate manages one of its primary databases, the National Emergency Management Information System (NEMIS).

The IG found that the directorate:

  • Lacks effective processes to ensure only the right people have proper access to NEMIS. The system's servers have vulnerabilities associated with access rights, password administration, configuration management and other issues. Those vulnerabilities could make NEMIS operations and data susceptible to cyberattacks.

  • Lacks sufficient procedures to audit NEMIS operations, which increases the risk that the directorate would not be able to detect or quickly investigate illegal access or malicious changes to data.

  • Has not tested the information technology contingency plan for NEMIS or trained employees to use that plan and does not store NEMIS backup tapes in waterproof and fireproof containers.

  • Fails to comply with four requirements of the Federal Information Security Management Act of 2002 and with DHS' overall security policies, procedures and practices.

    -- Michael Arnone

  • Featured

    • Telecommunications
      Stock photo ID: 658810513 By asharkyu

      GSA extends EIS deadline to 2023

      Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

    • Workforce
      Shutterstock image ID: 569172169 By Zenzen

      OMB looks to retrain feds to fill cyber needs

      The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

    • Acquisition
      GSA Headquarters (Photo by Rena Schild/Shutterstock)

      GSA to consolidate multiple award schedules

      The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

    Stay Connected

    FCW Update

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.