cross-posted from: https://programming.dev/post/36577114
FEMA Chief Information Officer (CIO) Charles Armstrong, Chief Information Security Officer (CISO) Gregory Edwards, and 22 other FEMA IT employees directly responsible were immediately terminated.
While conducting a routine cybersecurity review, the DHS Office of the Chief Information Officer (OCIO) discovered significant security vulnerabilities that gave a threat actor access to FEMA’s network. The investigation uncovered several severe lapses in security that allowed the threat actor to breach FEMA’s network and threaten the entire Department and the nation as a whole.
The entrenched bureaucrats who led FEMA’s IT team for decades resisted any efforts to fix the problem. Instead, they avoided scheduled inspections and lied to officials about the scope and scale of the cyber vulnerabilities.
Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility.
FEMA spent nearly half a billion dollars on IT and cybersecurity measures in Fiscal Year 2025 alone and delivered virtually nothing for the American people. Despite burning hundreds of millions of taxpayer dollars, FEMA’s IT leadership still neglected its basic duties and exposed the entire Department to cyberattacks.
And we’re just supposed to trust the word of partisan hack. Ya, no.
I do get that there is a lot of intransigence in Federal IT. I was an IT and IS contractor for a couple sites within the US FedGov and there were places where “that’s the way we’ve always done it” was the trump card for any proposed change. And this led to some abysmal security practices which should have resulted in a lot of management getting shown the door (and mostly not just IT/IS management, culture gets set from the top). And I’ve worked at others where we had a large staff of folks whose entire job was ensuring compliance with all required cybersecurity controls and documentation. While I’ll be one of the first to state that compliance is not security, I also have yet to see a site which got security mostly right which didn’t also have compliance on lock. If you are doing things the right way, compliance is actually pretty easy to achieve, since good documentation is the foundation of security. If you go into a site and they can’t even spell CMDB, expect a shitshow.
So ya, if the DHS team went to FEMA’s IT team and started asking for network diagrams, data flow diagrams, system and network baseline checklists and system documentation; and the FEMA IT team’s response was, “sorry, we don’t have that”. Then yes, I would get cleaning house. Though, I’d have started by figuring out if the problem is the IT team just not getting it done; or, if the IT team was prevented from getting it done. My experience has been that IT teams are willing to patch and correct configurations; but, this means downtime and risk to applications. So, upper management will side with the application owners who want five nines uptime on a “best effort” budget, which ends up blocking patching and configuration changes. Also, if the IT team is spending 40 hours a week putting out fires and dealing with the blow-back from accumulated technical debt, that’s an upper management problem.
The problem, of course, is that the DHS is led by a two-bit partisan hack. And this administration is known for straight up lying to clear the board for it’s own partisan interests. I have zero faith that they did any sort of good faith analysis of the FEMA IT department. Especially since this is the same administration which gave us Russian compromised DOGE servers.