FEMA is now part of the DHS's Emergency Preparedness and Response (EP&R) Directorate.
Although the agency, which came under fire for its slow response to Hurricane Katrina in late August, has developed and maintained many essential security controls for NEMIS, more work needs to be done to protect the database, according to Skinner's report.
Specifically, FEMA hasn't implemented effective procedures for granting, monitoring and removing user access, nor has it conducted contingency training or testing, Skinner said. In addition, vulnerabilities were found on NEMIS servers related to access rights and password administration.
NEMIS allows incident tracking and coordination, is used by individuals and small businesses that apply for federal assistance, and processes requests from states for funding of hazard mitigation projects.
"Due to these database security exposures, there is an increased risk that unauthorized individuals could gain access to critical EP&R database resources and compromise the confidentiality, integrity and availability of sensitive NEMIS data," Skinner wrote in the report. "In addition, EP&R may not be able to recover NEMIS following a disaster."