He called on FEMA to make sure adequate controls over user access to NEMIS are put in place and urged it to implement an IT contingency training and testing program for NEMIS. He also said FEMA needs to develop corrective action plans to address the vulnerabilities and weaknesses Skinner found.

In response to a draft of the report, FEMA officials agreed with Skinner's recommendations and said they are moving to correct the deficiencies. Even so, Skinner said FEMA did not offer up a specific plan to address 56 deficiencies, and noted that EP&R has not fully aligned its security program with DHS's overall policies, procedures or practices.

"For example, security controls had not been tested in over a year; a contingency plan has not been tested; security control costs have not been integrated into the life cycle of the system; and system and database administrators have not obtained specialized security training," Skinner wrote.

The NEMIS database, which was implemented in 1998, was designed and developed by Fairfax, Va.-based Anteon Corp., using Oracle Corp.'s relational database management system. Although that information was redacted from Skinner's report, it was available at Anteon's Web site.

NEMIS replaced FEMA's legacy system with a fully integrated client/server architecture consisting of more than 31 networked servers installed nationwide, according to Anteon.