FEMA employees brought government devices abroad without authorization, including to China and Iraq, document shows
The Federal Emergency Management Agency Office of the Chief Information Officer has tracked scores of employees bringing government mobile devices abroad, including to countries like China and Iraq, without authorization, according to a document obtained by FedScoop.
The issue was highlighted in a DHS inspector general’s report published last July that pointed to concerns about how the emergency management agency handles the security of government-issued mobile devices.
Among other issues, the report centered on concerns with international travel. FEMA policies stipulate that employees cannot bring government devices abroad, while DHS policy requires the use of loaner devices and that any device detected internationally (without authorization) is turned off. The inspector general found that FEMA was not effectively tracking whether data on devices taken on international travel had been wiped.
FEMA is still working on fixes, originally expected in December of last year, to address the issue, which heightens security risks and violates broader Department of Homeland Security mobile device policy.
The document obtained by FedScoop similarly shows scores of devices detected abroad by FEMA. Many of them were tracked in countries that Americans commonly visit for vacation, including the Dominican Republic, the United Kingdom, and Mexico. But the list — which displays devices that had access restricted and were then beginning to be investigated after being used abroad — also shows that employees brought government devices to countries that fall under the International Traffic in Arms Regulation country list.
The document provides some insight into how FEMA handles the issue. While most of the incidents are unlabeled, some note that a case was investigated, that there was a tracking action, or a request for comment was issued, a spokesperson for FEMA told FedScoop. The document also displays dates that refer to when there was an update to the device in DHS’s Enterprise Incident Database, or ECOP, portal.
“If you’re a large government organization, I think it’s always better to err on the side of safety and caution and preparation and training rather than have employees not know the potential risks,” said Kristin del Rosso, the public sector field chief technology officer at Sophos, a security and hardware firm. “There are different countries that have different rules [and] some don’t respect personal privacy… If you’re in a customs border zone [and] you don’t have access to your devices, they can do what they want with those devices.”
She said the OIG report didn’t raise “massive alarm bells” but it was good the agency was addressing the problem.
Notably, in February 2022, the Federal CIO Council released the final version of its guidance for international travel and government devices. The guidance establishes that government devices taken abroad risk being stolen, compromised, or damaged physically — while also potentially exposing personal and government application data and account information. A blog announcing the guidance noted that both government and industry employees could be targeted by foreign adversaries looking to procure government data.
For a sense of scope, FEMA maintains tens of thousands of mobile devices, the OIG report outlines. The agency uses a cloud-based management system for monitoring the data on these devices, as well as connecting them to FEMA’s network. One particular branch of the agency’s Office of Chief Information Officer, the Mobility Service Center, is in charge of sanitizing devices that encounter security concerns, while another section called the Security Operations Center is supposed to detect devices abroad.
Ultimately, the OIG report found that 227 mobile devices without authorization were detected by FEMA internationally, and, that within a sample of nine, only two were turned off — those two were on the ITAR list. FEMA did not provide the OIG any documentation as to whether those devices were sanitized, according to the report. The audit looked at mobile device management between October 2020 and April 2022 — a somewhat distinct source of data from the one obtained by FedScoop, which came from the OCIO and includes incidents between October 2021 and June 2022. Still, the OIG document also shows that employees took devices to countries like China and Iraq.
A FEMA spokesperson said: “DHS and FEMA are committed to continuously improving our cybersecurity posture to ensure information stored on mobile devices remains secure while supporting employee productivity. We take this matter seriously and have protocols and tools in place to ensure devices are used securely and in accordance with policy, regardless of location. We recognize the sensitivity around devices being taken to countries with heightened security risks and have specific procedures for when employees travel with government devices.”
To deal with this problem, FEMA concurred with several recommendations made by the DHS OIG in the report, including implementing new documentation of device wiping, modifying mobile technology sanitization procedures, communicating requirements to sanitize devices taking on authorized international travel, and updating FEMA’s response playbook procedure to require disabling devices taken abroad without authorization.
But while FEMA initially said it would complete those recommendations by the end of 2023, an agency spokesperson told FedScoop that completing them is still an “ongoing process.” The DHS OIG did not confirm whether it had received an update from FEMA about its progress. The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget both declined to comment and directed FedScoop to FEMA.
“We take this matter seriously and have protocols and tools in place to ensure devices are used securely and in accordance with policy, regardless of location,” said a spokesperson for DHS in a statement to FedScoop. “We recognize the sensitivity around devices being taken to countries with heightened security risks and have specific procedures for when employees travel with government devices. “
The DHS spokesperson continued: “We appreciate DHS OIG’s work which showed that there have been inconsistencies in following these policies and procedures in the past. FEMA has completed work to address each recommendation in OIG’s July report and expects these recommendations to be resolved and closed following OIG’s review of our documentation.”
