Information Technology:

FEMA Needs to Address Management Weaknesses to Improve Its Systems

GAO-16-306: Published: Apr 5, 2016. Publicly Released: May 5, 2016.

Additional Materials:

Contact:

Carol R. Cha
(202) 512-4456
ChaC@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Federal Emergency Management Agency (FEMA) faces the following challenges in ensuring that its information technology (IT) programs adequately support the agency's ability to respond to major disasters:

Governance and oversight: FEMA established an investment review board to select and oversee IT investments, as called for by leading practices. But the board has not fully defined roles and responsibilities of key members, working groups, and individuals, and it does not have clearly defined procedures for selecting and overseeing investments. As a result, the agency lacks adequate visibility into and oversight of IT investment decisions and activities.

IT modernization: FEMA has begun to take steps to modernize its IT environment, but key planning documents are not current and complete. For example, the agency has an IT strategic plan and is currently drafting its modernization plan; however, the plans do not reflect the agency's current goals and objectives. Further, the IT strategic plan describes the Chief Information Officer's (CIO) mission, goals, and objectives through fiscal year 2016, but has not been updated since 2013. In addition, while the Office of the CIO is currently drafting the agency's IT modernization plan, including an implementation strategy and an overall schedule, it is not yet final. As a result, the agency is limited in its ability to move toward its goal to modernize its systems and eliminate duplicative IT investments.

Workforce planning: The agency has not yet established time frames to address long-standing workforce management challenges. For example, while it conducted a workforce assessment to identify skill levels of employees in the agency's Office of the CIO, it has not completed recommended actions called for by this assessment. In addition, its workforce planning efforts have not included an assessment of the many IT staff located in the agency's regions and other offices. Consequently, FEMA has less assurance that its IT workforce will have the skills needed to successfully manage its programs.

None of the three emergency management programs GAO selected for this review had fully implemented key IT management controls in the areas of risk management, requirements development, project planning, and systems testing and integration. Specifically, the three selected emergency management programs inconsistently implemented these practices by, for example, not always developing adequate risk mitigation plans, establishing processes for requirements management, developing and updating schedules and cost estimates, and ensuring complete and adequate system testing along with systems integration plans. These weaknesses were due, in part, to a lack of FEMA policies to guide programs in implementing these key IT management controls. Until FEMA fully establishes and implements such policies and controls, it has limited assurance that these programs will cost-effectively support its disaster response efforts.

Why GAO Did This Study

FEMA, a component agency of the Department of Homeland Security (DHS), leads federal efforts to mitigate, respond to, and recover from disasters. In the wake of Hurricane Katrina, the largest natural disaster in U.S. history, Congress passed the Post-Katrina Emergency Management Reform Act of 2006. This act required FEMA to address shortcomings identified in the preparation for and response to Katrina, including improving the agency's IT programs, which are critical to its ability to respond to natural disasters and other emergencies.

GAO was asked to review FEMA's IT system improvement efforts. This report (1) identifies challenges to ensuring the agency's IT systems adequately support its disaster response efforts and (2) assesses the extent to which FEMA has implemented key IT management controls for selected emergency management programs. GAO analyzed FEMA documentation (e.g., FEMA's Hurricane Sandy After-Action Report), interviewed officials, and assessed its implementation of IT management best practices for three selected programs.

What GAO Recommends

GAO recommends that FEMA fully define its investment board's roles and responsibilities and procedures for selecting and overseeing investments, update its strategic plan and complete plans for IT modernization, and establish time frames for completing workforce planning efforts. FEMA should also establish policies and guidance for implementing key IT management controls. DHS concurred with the recommendations.

For more information, contact Carol R. Cha at (202) 512-4456 or ChaC@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: The Department of Homeland Security concurred with this recommendation. In response, the department implemented the recommendation by establishing an IT Governance Board (ITGB) that serves as the primary structure for the Federal Emergency Management Agency's (FEMA) IT decision-making process. FEMA's ITGB charter defines the roles and responsibilities; as well as the procedures and guidelines for selection and management of the agency's IT Investment Portfolio. As a result, FEMA has better visibility into and oversight of the agency's IT investment decisions and activities.

    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to ensure that the IT Governance Board has fully defined and implemented its roles and responsibilities for key boards, working groups, and individuals, and procedures for selecting and overseeing IT investments.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: The Department of Homeland Security concurred with this recommendation, and reported on actions taken to update its IT Modernization Plan such as conducting cross-functional work sessions to establish an actionable implementation roadmap in line with agency priorities. However, as of April 2017, we have not yet obtained evidence that FEMA has fully updated its IT strategic plan and completed its modernization plan to address the weaknesses identified in our report. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.

    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to define the scope, implementation strategy, and schedule of the agency's overall modernization approach, with related goals and measures for effectively overseeing the effort. At a minimum, the agency should update its IT strategic plan and complete its modernization plan.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department stated that FEMA completed the assessment of skills gap and identified and prioritized the skills required to staff and sustain the core competencies required to successfully implement FEMA's IT modernization efforts. However, we have not yet validated the agency actions to establish time frames for current and future IT workforce planning during its modernization efforts. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.

    Recommendation: To ensure that FEMA's IT systems can adequately support its ability to respond to major disasters, the Secretary of DHS should direct the FEMA Administrator to establish time frames for current and future IT workforce planning during its modernization efforts and ensure all regions and offices are included in these initiatives.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Implemented

    Comments: The Department of Homeland Security concurred with the recommendation. In response to our recommendation, FEMA implemented a risk management process to support the agency in identifying potential problems before they occur. For example, the agency's risk management approach which is aligned with the DHS System Engineering Life Cycle and the Project Management Body of Knowledge Guide, follows a seven-step approach that addresses risk planning, identification, analysis and prioritization, mitigation, monitoring and closure. As a result, the agency should be better positioned to properly manage all program risks.

    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the Disaster Assistance Improvement Program (DAIP), Emergency Management Mission Integrated Environment (EMMIE), and Integrated Public Alert and Warning System (IPAWS) program offices, in conjunction with the FEMA CIO, to implement a robust risk management process that identifies potential problems before they occur.

    Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency

  5. Status: Closed - Implemented

    Comments: The Department of Homeland Security concurred with our recommendation. In response, FEMA implemented a requirements management process that generally addressed the weaknesses identified in our report. For example, FEMA's requirements management process includes guidance on eliciting stakeholder needs and transforming them into prioritized customer requirements; analyzing requirements to ensure that they are complete and verifiable; and validating the system as it is being developed. In addition, the process identifies how business, functional, and technical requirements will be identified, analyzed, documented and managed for each project. As a result, the agency should be better positioned to develop systems that will provide functionality that meets users' needs.

    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a requirements management process to ensure requirements are well defined.

    Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency

  6. Status: Open

    Comments: The Department of Homeland Security concurred with our recommendation and in response updated its program management plans that support the program offices of the Disaster Assistance Improvement Plan, Emergency Management Mission Integrated Environment, and Integrated Public Alert and Warning System. The program plans addressed some of the weaknesses we identified in our report. For example, the program management plans identified and described the overall program management processes and methods to be used during all phases of projects and defined key deliverables and milestones, roles and responsibilities, staffing and training and an approach for maintaining the plans. However, the plans did not clearly define the knowledge and skills needed to carry out the program or provide sufficient details on the budget and scheduling for the programs under review. We will follow-up with the department to obtain supporting documentation and continue to monitor its progress in implementing this recommendation.

    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement complete program plans that define overall budget and schedule, key deliverables and milestones, assumptions and constraints, description and assignment of roles and responsibilities, staffing and training plans, and an approach for maintaining these plans.

    Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency

  7. Status: Open

    Comments: The Department of Homeland Security concurred with, and has taken steps to implement our recommendation. For example, the department reported that the system owner for DAIP, EMMIE, and IPAWS programs have updated their respective system integration plans to address the risks identified within the recommendation. In addition, the agency provided documentation such as the IPAWS Integrated Logistics Support Plan, as well as the quality control plan, and test execution plans for both the DAIP and EMMIE programs. However, we have not yet completed our analysis and validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that FEMA adequately manages the selected emergency management systems, the FEMA Administrator should direct the DAIP, EMMIE, and IPAWS program offices, in conjunction with the FEMA CIO, to implement a system integration plan that include all systems to be integrated with the system, roles and responsibilities for all relevant participants, the sequence and schedule for every integration step, and how integration problems are to be documented and resolved.

    Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency

  8. Status: Open

    Comments: The Department of Homeland Security concurred with the recommendation. In its November 2016 update, FEMA reported that the System Owner for DAIP, EMMIE, and IPAWS have updated their respective IT management program and plans and coordinated with the FEMA CIO to address the risks identified within the recommendation. However, we have not yet validated the agency actions on this recommendation. When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: As part of the effort of improving IT management at the three programs, the FEMA Administrator should direct the CIO to ensure that FEMA policy for managing IT programs includes guidance for implementing the key management practices.

    Agency Affected: Department of Homeland Security: Directorate of Emergency Preparedness and Response: Federal Emergency Management Agency

 

Explore the full database of GAO's Open Recommendations »

Nov 21, 2017

Nov 15, 2017

Nov 7, 2017

Oct 4, 2017

Sep 18, 2017

Sep 6, 2017

Jul 13, 2017

Jun 21, 2017

Jun 13, 2017

Looking for more? Browse all our products here