Skip to main content
U.S. flag

An official website of the United States government

Government Website

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Safely connect using HTTPS

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PII

  • CBP Has Placed Travelers' PII at Risk of Exploitation

    Executive Summary

    CBP did not always protect MPC apps from cybersecurity threats.  This occurred because app version updates were not always scanned for vulnerabilities and CBP did not always identify vulnerabilities detected in scans.  CBP also did not complete seven required security and privacy compliance reviews of MPC apps because it did not establish a schedule for the reviews or track and centrally store review documentation.  In addition, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a process for a required internal audit.  Finally, CBP did not implement Department server configuration requirements for its MPC servers.  We made eight recommendations that, when implemented, should improve the security of CBP’s MPC program.  CBP concurred with all eight recommendations.

    Report Number
    OIG-21-47
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2021
  • FEMA Did Not Properly Award and Oversee the Transitional Sheltering Assistance Contract

    Executive Summary

    The Federal Emergency Management Agency did not properly award or oversee its contract with Corporate Lodging Consultants (CLC) to administer disaster survivors’ hotel stays.  These deficiencies occurred because FEMA officials did not ensure staff responsible for the Transitional Sheltering Assistance (TSA) contract award and oversight had the guidance and training they needed to be effective.  As a result, FEMA released personally identifiable information for about 2.3 million disaster survivors, increasing the survivors’ risk to identity theft.  We made six recommendations that when implemented should strengthen FEMA contracting and compliance with Federal Acquisition Regulations and DHS requirements.  FEMA concurred with all six of our recommendations.

    Report Number
    OIG-20-58
    Issue Date
    Document File
    DHS Agency
    Fiscal Year
    2020
  • Evaluation of DHS' Information Security Program for Fiscal Year 2018

    Executive Summary

    DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

    Report Number
    OIG-19-60
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2019
  • Management Alert - FEMA Did Not Safeguard Disaster Survivors' Sensitive Personally Identifiable Information (REDACTED)

    Executive Summary

    Through the TSA program, FEMA provides transitional sheltering in hotels to disaster survivors displaced by emergencies or major disasters. TSA reduces the number of survivors in congregate emergency shelters by providing hotel lodging. During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance (TSA) program, we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security policy2 by releasing to the PII and SPII of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.3

    Report Number
    OIG-19-32
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2019
  • Management Alert - FEMA Must Take Steps to Stop Those Attempting to Profit from Disaster Survivors Seeking Assistance in Puerto Rico

    Executive Summary

    This is a Department of Homeland Security, Office of Inspector General management alert to make the Federal Emergency Management Agency (FEMA) and its partners aware of active attempts — observed during our ongoing disaster oversight work in Puerto Rico — to profit from disaster survivors seeking FEMA assistance. We observed posted notices featuring a logo similar to FEMA’s, advertising paid services to complete the FEMA disaster assistance application on behalf of survivors. These services appear to be associated with FEMA, but actually are not, and demand a fee for services FEMA provides at no cost.

    To complete the disaster assistance application forms, the paid service requires disaster survivors to provide their Personally Identifiable Information (PII) — such as their social security number, household annual income, and bank account numbers — to a third party, which exposes survivors to unnecessary risks.

    Report Number
    OIG-18-30
    Issue Date
    Document File
    DHS Agency
    Oversight Area
    Fiscal Year
    2018