FEMA Did Not Always Secure Information Stored on Mobile Devices to Prevent Unauthorized Access

Submitting OIG:

Report Description:

The Federal Emergency Management Agency (FEMA) did not always secure information stored on mobile devices. Specifically, FEMA did not document whether it removed all data from mobile devices that were disposed of, lost or stolen, or taken on international travel. This occurred because FEMA did not ensure employees followed Department of Homeland Security policy and because FEMA did not have supplemental guidance with specific requirements for sanitizing lost or stolen mobile devices.

Date Issued:

Friday, July 7, 2023

Agency Reviewed / Investigated:

Department of Homeland Security

Submitting OIG-Specific Report Number:

OIG-23-32

Component, if applicable:

Federal Emergency Management Agency (FEMA)

Location(s):

Agency-Wide

Type of Report:

Audit

Questioned Costs:

Funds for Better Use:

Number of Recommendations:

Report updated under NDAA 5274:

Additional Details Link:

https://www.oig.dhs.gov/sites/default/files/assets/2023-07/OIG-23-32-Jul23.pdf

Recommendation Number	Recommendation Status	Significant Recommendation
1	Open	No
We recommend FEMA’s Chief Information Officer develop and implement a process, with specific roles and responsibilities, for sanitizing mobile devices prior to disposition.
2	Open	No
We recommend FEMA’s Chief Information Officer update existing guidance with the proper sanitization steps for all lost or stolen mobile devices.
3	Open	No
We recommend FEMA’s Chief Information Officer implement and formally communicate to employees the requirement to document sanitization of mobile devices taken outside the United States or its territories, on authorized travel upon employees’ return to the United States from such travel.
4	Open	No
We recommend FEMA’s Chief Information Officer update FEMA’s Response Playbook Standard Operating Procedure to comply with the Joint DHS Office of the Chief Security Officer and Office of the Chief Information Officer Guidance on Foreign Travel, requiring the disabling of all unauthorized mobile devices that have been taken on international travel.

Recommendation Number

Recommendation Status

Significant Recommendation

Additional Details

Open

We recommend FEMA’s Chief Information Officer develop and implement a process, with specific roles and responsibilities, for sanitizing mobile devices prior to disposition.

Open

We recommend FEMA’s Chief Information Officer update existing guidance with the proper sanitization steps for all lost or stolen mobile devices.

Open

We recommend FEMA’s Chief Information Officer implement and formally communicate to employees the requirement to document sanitization of mobile devices taken outside the United States or its territories, on authorized travel upon employees’ return to the United States from such travel.

Open

We recommend FEMA’s Chief Information Officer update FEMA’s Response Playbook Standard Operating Procedure to comply with the Joint DHS Office of the Chief Security Officer and Office of the Chief Information Officer Guidance on Foreign Travel, requiring the disabling of all unauthorized mobile devices that have been taken on international travel.

Search form

FEMA Did Not Always Secure Information Stored on Mobile Devices to Prevent Unauthorized Access

Related Open Recommendations