The Federal Emergency Management Agency’s (FEMA’s) Grants Management Modernization (GMM) program needs to implement better reengineering processes, management requirements, and cybersecurity practices, the Government Accountability Office (GAO) said.
FEMA initiated GMM in 2015 to streamline and modernize its grants management IT environment, which is currently highly complex, has many stakeholders, IT systems, and users. More specifically, the environment has 25 active disaster and non-disaster grant programs that are grouped into 12 grant categories. With about 5,000 internal users and hundreds of thousands of external users on FEMA’s grants management system, GAO reviewed GMM to make sure it meets sufficient IT and cybersecurity requirements.
GAO examined FEMA’s practices for its business process reengineering and IT requirements management for its grants management system, and it found that FEMA fully implemented four of the six requirements, but only partially implemented two – establishing plans for implementing new business processes and also clear, prioritized IT requirements.
On top of unclear planning and outline of IT requirements, FEMA also has shortfalls in GMM’s cybersecurity practices. GAO assessed these practices passed on the National Institute of Standards and Technology cybersecurity guidelines and found that of five key cybersecurity areas, FEMA only fully met three sufficiently.
Namely, FEMA only partially met the last two requirements – assessing security controls and obtaining authorization to operate its system.
GAO also found that FEMA doesn’t have a current cost estimate or reliable schedule for delivering GMM. Although FEMA had an initial cost estimate for GMM, delays and price fluctuations have made those initial concrete plans unreliable.
GAO made eight recommendations based on its findings, which broadly suggest that FEMA implement better practices relating to reengineering processes, managing requirements, scheduling, and establishing cybersecurity controls.
“Until the GMM program finalizes plans and time frames for implementing its organizational change management actions, plans and communicates system transition activities, and maintains clear traceability of IT requirements, FEMA will be limited in its ability to provide streamlined grants management processes and effectively deliver a modernized IT system to meet the needs of its large range of users,” GAO said.