FEMA Grants Modernization: Improvements Needed to Strengthen Program Management and Cybersecurity
Fast Facts
FEMA awarded more than $22 billion in grants for four major disasters in 2017 alone. It manages these and other grants in numerous, disparate information technology systems that it has been attempting to modernize.
We reviewed FEMA's Grants Management Modernization program. Among other things, we found
The program's cost estimate in 2017 appeared to be sound but now must be updated
Its schedule is not realistic
It addressed some key cybersecurity practices but needs to improve how it assesses security controls and addresses known vulnerabilities
We made 8 recommendations, including that FEMA improve its schedule.
A photo of FEMA headquarters
Highlights
What GAO Found
Of six important leading practices for effective business process reengineering and information technology (IT) requirements management, the Federal Emergency Management Agency (FEMA) fully implemented four and partially implemented two for the Grants Management Modernization (GMM) program (see table). Specifically, FEMA ensured senior leadership commitment, took steps to assess its business environment and performance goals, took recent actions to track progress in delivering IT requirements, and incorporated input from end user stakeholders. However, FEMA has not yet fully established plans for implementing new business processes or established complete traceability of IT requirements.
Extent to Which the Federal Emergency Management Agency Implemented Selected Leading Practices for Business Process Reengineering and Information Technology (IT) Requirements Management for the Grants Management Modernization Program
|
Leading practice |
Overall area rating |
|
Ensure executive leadership support for process reengineering |
● |
|
Assess the current and target business environment and business performance goals |
● |
|
Establish plans for implementing new business processes |
◑ |
|
Establish clear, prioritized, and traceable IT requirements |
◑ |
|
Track progress in delivering IT requirements |
● |
|
Incorporate input from end user stakeholders |
● |
Legend: ●=Fully implemented, ◑=Partially implemented, ○=Not implemented.
Source: GAO analysis of Federal Emergency Management Agency documentation. | GAO-19-164
Until FEMA fully implements the remaining two practices, it risks delivering an IT solution that does not fully modernize FEMA's grants management systems.
While GMM's initial May 2017 cost estimate of about $251 million was generally consistent with leading practices for a reliable, high-quality estimate, it no longer reflects current assumptions about the program. FEMA officials stated in December 2018 that they had completed a revised cost estimate, but it was undergoing departmental approval. GMM's program schedule was inconsistent with leading practices; of particular concern was that the program's final delivery date of September 2020 was not informed by a realistic assessment of GMM development activities, and rather was determined by imposing an unsubstantiated delivery date. Developing sound cost and schedule estimates is necessary to ensure that FEMA has a clear understanding of program risks.
Of five key cybersecurity practices, FEMA fully addressed three and partially addressed two for GMM. Specifically, it categorized GMM's system based on security risk, selected and implemented security controls, and monitored security controls on an ongoing basis. However, the program had not initially established corrective action plans for 13 medium- and low-risk vulnerabilities. This conflicts with the Department of Homeland Security's (DHS) guidance that specifies that corrective action plans must be developed for every weakness identified. Until FEMA, among other things, ensures that the program consistently follows the department's guidance on preparing corrective action plans for all security vulnerabilities, GMM's system will remain at increased risk of exploits.
Why GAO Did This Study
FEMA, a component of DHS, annually awards billions of dollars in grants to help communities prepare for, mitigate the effects of, and recover from major disasters. However, FEMA's complex IT environment supporting grants management consists of many disparate systems. In 2008, the agency attempted to modernize these systems but experienced significant challenges. In 2015, FEMA initiated a new endeavor (the GMM program) aimed at streamlining and modernizing the grants management IT environment.
GAO was asked to review the GMM program. GAO's objectives were to (1) determine the extent to which FEMA is implementing leading practices for reengineering its grants management processes and incorporating needs into IT requirements; (2) assess the reliability of the program's estimated costs and schedule; and (3) determine the extent to which FEMA is addressing key cybersecurity practices. GAO compared program documentation to leading practices for process reengineering and requirements management, cost and schedule estimation, and cybersecurity risk management, as established by the Software Engineering Institute, National Institute of Standards and Technology, and GAO.
Recommendations
GAO is making eight recommendations to FEMA to implement leading practices related to reengineering processes, managing requirements, scheduling, and implementing cybersecurity. DHS concurred with all recommendations and provided estimated dates for implementing each of them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office finalizes the organizational change management plan and time frames for implementing change management actions. (Recommendation 1) |
Closed – Implemented
In June 2020, FEMA finalized and received approval for its change management plan and time frames for implementing change management actions. Among other things, this plan defined GMM stakeholder events, training delivery methods, and the associated dates for when these activities would take place. By taking these steps to establish an organizational change management plan and time frames for communicating the transition details to its customers prior to each transition, FEMA is better prepared to transition from the legacy grant systems to GMM, as intended. These actions also increase the likelihood that stakeholders will support the implementation of new grants management processes.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office plans and communicates its detailed transition activities to its affected customers before they transition to GMM and undergo significant changes to their processes. (Recommendation 2) |
Closed – Implemented
From July through November 2019, FEMA had used plans, briefings, and webinars to communicate detailed transition activities (e.g., training and stakeholder outreach) to the two customers that were undergoing transition to the new system--Assistance to Firefighters Grants and Hazard Mitigation. Additionally, officials indicated that these planning and communication methods would be reused for future GMM customers. As a result, FEMA has greater assurance that stakeholders will support the new changes and the transition to GMM will occur as intended.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office implements its planned changes to its processes for documenting requirements for future increments and ensures it maintains traceability among key IT requirements documents. (Recommendation 3) |
Closed – Implemented
In January 2020, FEMA revised its process to document GMM's future increment-level requirements into a single document, called the product roadmap. This product roadmap shows the planned increment-level requirements to be delivered to stakeholders over the next nine months, and is to be updated with stakeholders on a quarterly basis. By maintaining a single place to document planned requirements, FEMA no longer needs to ensure traceability among different requirements documents, and has greater assurance that stakeholders will have a clear understanding of what is to be delivered in upcoming increments.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office updates the program schedule to address the leading practices for a reliable schedule identified in this report. (Recommendation 4) |
Closed – Implemented
The GMM program management office updated the program schedule to address leading practices for a reliable schedule. Specifically, in February 2020, FEMA provided us with a demonstration of the new schedule captured in schedule management software tools. GMM officials also updated the Program Management Plan to describe GMM's revised schedule management process. Based on the demonstration of the updated GMM schedule and documents provided, we concluded that the quality of the schedule had largely improved since our last review. While GMM did not address all aspects of the scheduling best practices, GAO believes that the program has made substantial enough improvements to justify closure of this recommendation. By taking these steps to establish a reliable schedule, FEMA is better prepared to forecast whether its system delivery goals for GMM are realistic and has empowered leadership to make more informed resource decisions.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the FEMA Office of the Chief Information Officer (OCIO) defines sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls. (Recommendation 5) |
Closed – Implemented
In response to our recommendation, in February 2022, FEMA demonstrated that it updated its approach for documenting detailed test plans for assessing security controls for its systems. For example, FEMA provided us with, among other things, the security assessment plan, security assessment report, and a test analysis summary for another FEMA system called the Tririga Real Estate Management System (TREMS). These documents identified detailed planned evaluation methods and the actual evaluation methods that were used for assessing the system's security controls. By taking these steps to define sufficiently detailed planned evaluation methods and actual evaluation methods for assessing security controls, FEMA is able to ensure compliance with DHS standards and ensure that security assessment procedures fit a program's unique mission and needs.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the FEMA OCIO approves a security assessment plan before security assessment reviews are conducted. (Recommendation 6) |
Closed – Implemented
In April 2019, DHS's System Security Authorization Process Guide was updated to state that the Security Assessment Plan must be evaluated and approved before conducting the security assessment. In January 2021, FEMA provided documentation that the Security Assessment Plan had been approved by a CIO delegate. By taking steps to approve the security assessment plan before security assessment reviews were conducted, GMM reduced the risk of inconsistencies between the plan and security objectives of the organization.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office follows DHS guidance on preparing corrective action plans for all security vulnerabilities. (Recommendation 7) |
Closed – Implemented
GMM has taken steps to follow DHS guidance on preparing corrective action plans for all security vulnerabilities. In August 2020 and January 2021, FEMA officials provided evidence of corrective action plans that they developed to address security vulnerabilities. For example, their plans include conducting automated vulnerability scans on a continuous basis, and the continual tracking and monitoring vulnerabilities. By implementing this recommendation, FEMA is better prepared to address and remediate GMM's security weaknesses and reduce the risk of potential exploits.
|
| Federal Emergency Management Agency | The FEMA Administrator should ensure that the GMM program management office fully tests all of its security controls for the system. (Recommendation 8) |
Closed – Implemented
In September 2023, FEMA demonstrated that it fully tested the security controls for the GMM system. For example, in September 2023, FEMA provided us with an updated GMM system security plan and a high-level report of the security control test results. By taking these steps to test all of the security controls for GMM, FEMA reduced the risk of exposing the system to potential exploits.
|