Noem terminates 24 FEMA workers for failing to address cyber vulnerabilities

Homeland Security Secretary Kristi Noem is terminating two dozen members in the Federal Emergency Management Agency’s IT department after the DHS agency said the employees failed basic security protocols that allowed hackers to access its networks.

Noem’s office said agency Chief Information Officer Charles Armstrong and Chief Information Security Officer Gregory Edwards were terminated, alongside 22 others. They could not be immediately reached for comment.

A routine cybersecurity review of FEMA’s systems uncovered the vulnerability, DHS said in a statement, which added that the vulnerability was addressed before any sensitive data could be pilfered from its systems.

The review “uncovered several severe lapses in security that allowed the threat actor to breach FEMA’s network and threaten the entire department and the nation as a whole,” DHS said.

An internal FEMA email dated August 18 obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.” It required password changes within two weeks of the email being sent. The email did not provide details about the security issues.

FEMA’s IT employees “resisted any efforts to fix the problem,” avoided scheduled inspections and “lied” to officials about the scope of the cyber vulnerabilities, the agency added.

“Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility,” it said.

DHS was impacted in a sweeping, global hack involving Microsoft SharePoint products last month, Nextgov/FCW first reported. It’s not clear if FEMA — a DHS component office — was affected.