FEMA Cybersecurity Case Study

A Systemic Failure of the Basics

SOURCE: Trescudo Intelligence • Author: Evangeline Smith, MarCom • September 15, 2025

1. The Discovery: An Audit Uncovers a Crisis

In late August 2025, the U.S. Department of Homeland Security (DHS) made a stunning announcement: a routine internal cybersecurity audit of the Federal Emergency Management Agency (FEMA) had uncovered "massive cyber failures" and evidence of an active breach.

The audit, ordered by DHS Secretary Kristi Noem, was part of a broader review of FEMA's operations. What it found was not a sophisticated, zero-day attack, but a complete and systemic breakdown of the most fundamental cybersecurity controls, which had allowed a threat actor to gain access to FEMA's network.

2. The "Four Embarrassing Failures"

The public statements from DHS and subsequent reporting from credible outlets like Nextgov/FCW and CyberInsider confirmed the exact failures Shawnee Delaney highlighted. These were not complex, high-level issues, but a "brazen neglect" of security 101.

• No Multi-Factor Authentication (MFA): The audit revealed an "agency-wide lack of multi-factor authentication." This is the digital equivalent of leaving the front door unlocked. Without MFA, a single compromised password is all an attacker needs to gain initial access, a failure that is inexcusable in any modern organization, let alone a critical government agency.

• Prohibited Legacy Protocols: FEMA's networks were still using "prohibited legacy protocols." These are outdated, insecure methods of communication that are known to have significant vulnerabilities. Keeping them active is like leaving a secret, unguarded tunnel into your fortress.

• Known Vulnerabilities Left Wide Open: The agency had failed to patch "known and critical vulnerabilities." This demonstrates a catastrophic breakdown in basic vulnerability management. The attackers didn't need to invent a new way in; they simply walked through doors that FEMA knew were unlocked and had failed to secure.

• Zero Visibility: The audit found "inadequate operational visibility." This means the security team was effectively blind. They lacked the tools and processes to see what was happening on their own network, making it nearly impossible to detect an intruder's presence or respond to an attack in real-time.

3. The Consequences: A Decisive Purge

The response from DHS leadership was swift and unprecedented. Citing "ineptitude" and claiming that FEMA's IT leadership "resisted any efforts to fix the problem" and "lied to officials about the scope and scale of the cyber vulnerabilities," Secretary Noem took the dramatic step of firing 24 members of FEMA's IT department.

This included the agency's highest-ranking technology officials:

• Charles Armstrong, Chief Information Officer (CIO)

• Gregory Edwards, Chief Information Security Officer (CISO)

This decisive action underscores the severity of the negligence. It sends a clear message that in today's threat landscape, failing to implement the absolute basics of cybersecurity is a fireable offense.

4. A Global Pattern: The State of Cybersecurity in Allied Agencies

The failures at FEMA are not an American anomaly. They are a symptom of a much broader, systemic issue of neglect and underinvestment in public sector cybersecurity across the globe. Recent audits and reports from allied nations reveal a disturbingly similar pattern:

• United Kingdom: A January 2025 report from the UK's National Audit Office (NAO) found "significant gaps in cyber resilience" across government departments. The report noted that the government's own assurance scheme found "multiple fundamental system controls at low levels of maturity." Crucially, the NAO identified at least 228 "legacy" IT systems still in use, with no fully funded plans to remediate more than half of them, leaving these systems dangerously vulnerable.

• Australia: A June 2025 "Cyber Security Insights" report from the Audit Office of New South Wales found that 69% of the 'Protect' mandatory requirements in the state's own Cyber Security Policy were not fully met by reporting agencies. The report highlighted a critical need to address "failures to meet basic protection standards" and to better manage third-party cyber risk.

• Canada: The Communications Security Establishment's (CSE) 2024-2025 annual report revealed that it responded to 1,155 cybersecurity incidents affecting the Government of Canada in that fiscal year alone. Reports from the Auditor General have consistently highlighted weaknesses in departmental controls for preventing, detecting, and responding to cyberattacks.

This international evidence makes it clear: from London to Sydney to Ottawa, critical government agencies responsible for public safety and services are struggling with the exact same foundational weaknesses that were exploited at FEMA. The root causes are universal: a shortage of skilled cyber professionals in the public sector, the persistent challenge of legacy IT, and a lack of consistent, high-level accountability.

5. The Bigger Picture: A Culture of Neglect

The FEMA incident is a textbook case study in how cybersecurity fails. It wasn't a failure of technology, but of culture, leadership, and governance. The DHS press release stated that FEMA had spent nearly $500 million on IT and cybersecurity in Fiscal Year 2025 alone, yet "delivered virtually nothing for the American people."

This demonstrates that budget alone does not create security. Without a culture that prioritises the basics, leadership that demands accountability, and a governance framework that ensures controls are actually implemented, even a massive budget can be rendered useless. The attackers didn't need to be brilliant; they just needed to find an organisation that was treating the basics like busywork.

From Lessons to Action: Building a Defensible Culture

The failures at FEMA, mirrored in government agencies worldwide, are a powerful warning. They prove that a large budget is no substitute for a strong security culture and a robust governance framework. Treating the basics like busywork is a direct path to a catastrophic, public failure.

At Trescudo, we help organisations, both public and private, move beyond a "check-the-box" mentality. We partner with you to build a proactive, defensible security posture founded on the principles of Zero Trust and continuous validation. We implement the framework, technology, and expert vigilance needed to ensure the basics are not just done, but mastered.

Don't let a culture of neglect become your biggest vulnerability. Schedule your Cyber Resilience Strategy Session to assess your posture and build a framework that withstands real-world threats. https://clients.trescudo.com/form1

Credible Sources for Verification:

• Official DHS Statement:

  • Secretary Noem Terminates Inept FEMA Employees After Uncovering Massive Cyber Failures, Demands Accountability

• Reputable Government & Tech Journalism (FEMA):

  • Noem terminates 24 FEMA workers for failing to address cyber vulnerabilities

  • US Government Audit Discovered Cybersecurity Breach at FEMA

  • DHS fires FEMA IT staffers after discovering networks were breached

• International Audit Reports:

  • UK: Government cyber resilience - Report by the Comptroller and Auditor General

  • Australia: Cyber security insights 2025

  • Canada: Communications Security Establishment Canada Annual Report 2024-2025