PII

CBP did not always protect MPC apps from cybersecurity threats.  This occurred because app version updates were not always scanned for vulnerabilities and CBP did not always identify vulnerabilities detected in scans.  CBP also did not complete seven required security and privacy compliance reviews of MPC apps because it did not establish a schedule for the reviews or track and centrally store review documentation.  In addition, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a process for a required internal audit.  Finally, CBP did not implement Department server configuration requirements for its MPC servers.  We made eight recommendations that, when implemented, should improve the security of CBP’s MPC program.  CBP concurred with all eight recommendations.

The Federal Emergency Management Agency did not properly award or oversee its contract with Corporate Lodging Consultants (CLC) to administer disaster survivors’ hotel stays.  These deficiencies occurred because FEMA officials did not ensure staff responsible for the Transitional Sheltering Assistance (TSA) contract award and oversight had the guidance and training they needed to be effective.  As a result, FEMA released personally identifiable information for about 2.3 million disaster survivors, increasing the survivors’ risk to identity theft.  We made six recommendations that when implemented should strengthen FEMA contracting and compliance with Federal Acquisition Regulations and DHS requirements.  FEMA concurred with all six of our recommendations.

DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

Through the TSA program, FEMA provides transitional sheltering in hotels to disaster survivors displaced by emergencies or major disasters. TSA reduces the number of survivors in congregate emergency shelters by providing hotel lodging. During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance (TSA) program, we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security policy2 by releasing to the PII and SPII of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.3

This is a Department of Homeland Security, Office of Inspector General management alert to make the Federal Emergency Management Agency (FEMA) and its partners aware of active attempts — observed during our ongoing disaster oversight work in Puerto Rico — to profit from disaster survivors seeking FEMA assistance. We observed posted notices featuring a logo similar to FEMA’s, advertising paid services to complete the FEMA disaster assistance application on behalf of survivors. These services appear to be associated with FEMA, but actually are not, and demand a fee for services FEMA provides at no cost.

To complete the disaster assistance application forms, the paid service requires disaster survivors to provide their Personally Identifiable Information (PII) — such as their social security number, household annual income, and bank account numbers — to a third party, which exposes survivors to unnecessary risks.