Summary
The Department of Homeland Security (DHS) faced a major internal upheaval in July 2025 when Secretary Kristi Noem dismissed 24 key information technology (IT) personnel from the Federal Emergency Management Agency (FEMA), including the agency’s Chief Information Officer (CIO) Charles Armstrong and Chief Information Security Officer (CISO) Gregory Edwards. The firings followed the discovery of significant cybersecurity vulnerabilities during a routine DHS review that revealed systemic failures within FEMA’s IT infrastructure, enabling an unauthorized breach of its network. Although no sensitive data was reported stolen, the incident exposed critical lapses in security protocols, including the absence of multi-factor authentication and reliance on outdated technologies, raising serious concerns about FEMA’s ability to safeguard national security and public safety.
FEMA, a vital component of DHS responsible for coordinating federal disaster response and maintaining continuity of government operations during crises, was simultaneously managing responses to over 100 active disasters nationwide. The abrupt removal of key IT leadership amid this operational surge triggered concerns about the agency’s capacity to maintain essential communications and cybersecurity protections during emergencies. Secretary Noem publicly criticized the dismissed staff for “failure,” “neglect,” and dishonesty, accusing them of obstructing remediation efforts and misrepresenting the severity of the cybersecurity weaknesses.
The dismissals sparked significant controversy both within FEMA and among external observers. Some longtime FEMA officials defended the ousted personnel as competent and respected, while critics highlighted longstanding management challenges and internal resistance to reform within the agency’s IT division. The firings also intensified scrutiny over FEMA’s disaster readiness and cybersecurity posture, with some employees involved in earlier congressional warnings about agency mismanagement reportedly placed on administrative leave amid heightened internal tensions.
The episode has drawn widespread expert commentary on the structural and cultural issues facing FEMA’s IT governance, emphasizing the need for comprehensive reforms to restore trust and enhance cybersecurity capabilities. It also raised legal and administrative questions regarding the scope of the Secretary’s authority to alter FEMA’s operational capabilities, given statutory protections designed to preserve the agency’s disaster response functions. The DHS’s subsequent investigations and polygraph examinations of FEMA officials reflect ongoing efforts to address security lapses and reinforce accountability within the agency.
Background
In July 2025, the Department of Homeland Security (DHS) faced a significant cybersecurity breach that compromised government networks and posed risks to both public agencies and private businesses. In response, DHS Secretary Kristi Noem took decisive action by dismissing 24 key personnel from the Federal Emergency Management Agency (FEMA), including Chief Information Officer Charles Armstrong and Chief Information Security Officer Gregory Edwards, along with 22 other IT staff members. Noem publicly criticized FEMA’s IT leadership, accusing them of “failure,” “neglect,” “incompetence,” and dishonesty in handling the breach. She stated that these issues included downplaying the severity of the breach and obstructing DHS’s efforts to manage the situation effectively.
FEMA, a critical component of DHS responsible for managing disaster response and recovery, oversees vital IT and communication infrastructure that must remain operational during emergencies. It also houses the National Continuity Programs Directorate, formerly the Office of National Security Coordination, which is tasked with maintaining continuity readiness and government operations during crises. At the time of the dismissals, FEMA was actively engaged in responding to over 100 disasters nationwide, including hurricanes and major wildfires, intensifying the challenges facing the agency.
The termination decisions were reportedly influenced by input from the Office of Personnel Management, which provided lists of staff recommended for dismissal to various federal offices, including FEMA. Secretary Noem’s actions reflected a broader effort to restore confidence in DHS’s cybersecurity posture and emergency management capabilities amid a period of heightened operational demand and scrutiny.
Dismissal Event
On a Friday following a routine cybersecurity review, Secretary Kristi Noem of the U.S. Department of Homeland Security (DHS) announced the termination of 24 members of the Federal Emergency Management Agency’s (FEMA) Information Technology (IT) division, including FEMA Chief Information Officer Charles Armstrong and Chief Information Security Officer Gregory Edwards. The decision came after the DHS Office of the Chief Information Officer discovered major security vulnerabilities that allowed an unauthorized threat actor to breach FEMA’s network, exposing significant cybersecurity lapses across the agency’s systems.
The investigation revealed systemic failures by FEMA’s IT leadership, which included a lack of multi-factor authentication, the continued use of prohibited legacy protocols, failure to address known critical vulnerabilities, and inadequate operational visibility. According to Secretary Noem, the long-entrenched IT bureaucrats resisted attempts at remediation, evaded scheduled inspections, and misled officials about the scope of the cyber vulnerabilities, ultimately putting the American public at risk. Despite the breach, no sensitive data was reported to have been extracted from DHS networks.
The terminations targeted primarily “probationary” employees, defined as those in their positions for less than a year, although many had been with FEMA for years or decades and were recently promoted into new roles. DHS characterized those dismissed as “non-mission critical personnel” and also separately fired four longtime employees, including FEMA’s chief financial officer, over a congressional investigation into the misuse of funds allocated for housing migrants in New York City.
The decision followed broader concerns about FEMA’s management under the Trump administration, as nearly 200 current and former FEMA employees had earlier warned Congress that the agency was being dangerously mismanaged and that cuts were undermining disaster readiness. The firings heightened tensions within FEMA, with some employees who had signed the congressional letter subsequently placed on administrative leave.
Officials noted that the federal Office of Personnel Management played a significant role in identifying individuals for termination and compiling lists for each office. Secretary Noem defended the action as necessary to address critical failures and protect national safety, stating that FEMA’s career IT leadership had failed on every level. However, she also dismissed some internal criticism as “fake news” and questioned the validity and anonymity of some sources reporting on the agency’s internal issues.
At the time of the dismissals, FEMA was actively responding to over 100 disasters and emergencies across the United States, including hurricanes Milton and Helene and major fires in Los Angeles. The firings represented a dramatic and public move in Secretary Noem’s effort to overhaul FEMA’s operations and cybersecurity posture amid ongoing concerns about the agency’s ability to fulfill its mission.
Identified Cybersecurity Vulnerabilities
A routine cybersecurity review conducted by the Department of Homeland Security (DHS) Office of the Chief Information Officer uncovered significant security vulnerabilities within the Federal Emergency Management Agency’s (FEMA) network. These lapses enabled a threat actor to breach the agency’s systems, posing a risk to both the department and national security, although no sensitive data was confirmed to have been extracted during the intrusion.
The investigation revealed multiple critical failures, including an agency-wide absence of multi-factor authentication, reliance on prohibited legacy protocols, unresolved known and critical vulnerabilities, and insufficient operational visibility across FEMA’s IT infrastructure. Despite FEMA’s substantial investment in IT and cybersecurity—spending nearly half a billion dollars in Fiscal Year 2025—the agency delivered minimal effective protection for its systems and the American public.
Further compounding the issue, entrenched FEMA IT personnel resisted efforts to address these security weaknesses. They reportedly avoided scheduled security inspections and misled officials about the extent and severity of the vulnerabilities. Following the discovery of the breaches and vulnerabilities, an internal FEMA email dated August 18 instructed all agency employees to change their passwords within two weeks, citing “recent cybersecurity incidents and threats,” although it did not disclose specific details about the security breaches.
Immediate and Short-term Impact
The dismissal of 24 key FEMA IT personnel, including the Chief Information Officer (CIO) and Chief Information Security Officer (CISO), led to significant immediate and short-term disruptions within the agency. FEMA’s role in managing critical information systems and ensuring cybersecurity was directly affected, raising concerns about the continuity and security of operations during a period of heightened vulnerability. These personnel were responsible for overseeing the management, operations, and maintenance of FEMA’s IT infrastructure, which is essential both during routine functions and disaster response efforts.
This staffing upheaval occurred amid increased scrutiny of FEMA’s cybersecurity posture, following a recent breach revealed during a routine security assessment. The breach exposed major vulnerabilities in FEMA’s network, attributed to lapses in security protocols that allowed unauthorized access by a “threat actor.” While DHS confirmed that no sensitive data was extracted, the incident underscored the fragility of FEMA’s cyber defenses and the critical importance of experienced IT leadership.
In addition to cybersecurity concerns, FEMA’s broader emergency response capabilities faced challenges. The agency coordinates federal response efforts when state and local resources are overwhelmed, relying heavily on specialized teams trained for medical, search and rescue, and mortuary operations. Disruptions within FEMA’s IT leadership threatened to impede timely communication and coordination across these critical response units, potentially exacerbating the impact of ongoing and future disasters.
Furthermore, FEMA’s responsibilities extend beyond immediate disaster response to include programs aimed at mitigating future risks, such as the Hazard Mitigation Grant Program, which funds rebuilding efforts designed to reduce damage from similar disasters. The effective administration of such programs depends on robust IT systems and data management, areas vulnerable during the leadership vacuum. This was particularly concerning given the agency’s recent criticism for its response to major disasters and the ongoing need to support vulnerable populations disproportionately affected by emergencies.
Responses and Reactions
The public dismissal of 24 key FEMA IT personnel, including the agency’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO), provoked strong reactions both within FEMA and among external observers. The firings, announced by DHS Secretary Kristi Noem, who accused the affected staff of “failure,” “neglect,” “incompetence,” and dishonesty, sparked immediate controversy and uncertainty about FEMA’s disaster response capabilities.
Inside FEMA, the firings sent shockwaves, with longtime officials describing the ousted leaders as “extremely competent” and “highly respected.” Some staff expressed concerns that the dismissals were part of a larger clash between FEMA leadership and DHS officials over ongoing efforts to overhaul the disaster relief agency. According to reports, DHS alleged that the dismissed officials had resisted reforms, avoided inspections, and misrepresented the severity of cyber vulnerabilities within FEMA.
Critics have long argued that FEMA’s complex and overextended disaster response system hampers its effectiveness. They contend that the agency’s broad responsibilities create inefficiencies, limiting its ability to respond quickly and efficiently to emergencies. The recent firings and ensuing turmoil appear to have amplified calls for reform, with nearly 200 current and former FEMA employees warning Congress that the agency is being dangerously mismanaged and that vital protections designed to prevent disaster failures are being rolled back. Some FEMA employees were subsequently placed on leave, further heightening internal tensions.
In response to the controversy, DHS has maintained a low profile, declining immediate comment on the specifics of the dismissals. Meanwhile, a CNN investigation revealed that some FEMA staff had sought legal guidance and believed they were following administration directives amid the internal disputes. Additionally, DHS reportedly administered polygraph tests to more than a dozen high-ranking FEMA officials, including the former Trump-appointed acting chief, as part of an effort to identify media leaks.
Noem framed the dismissals within a narrative of accountability and the need for improved cybersecurity, stating that “folks in these deep state positions seem more focused on concealing their shortcomings rather than safeguarding the personal information of citizens,” and asserting that “the American people deserve better from their government”. However, the dismissals have raised concerns about potential violations of federal law that prohibits the Secretary of Homeland Security from significantly reducing FEMA’s authorities or capabilities, which are critical for consistent federal disaster response regardless of political administration.
Organizational and Structural Consequences
The dismissal of 24 key FEMA IT personnel, including Chief Information Officer Charles Armstrong and Chief Information Security Officer Gregory Edwards, has had significant organizational and structural implications within the agency. These terminations were part of an immediate response following a failure in IT security, although no sensitive data was reportedly extracted from DHS networks. The abrupt removal of these high-level IT officials has disrupted the coordination and integration of policies, directives, and procedures essential for effective planning, finance, acquisitions, and enterprise risk management that support agency and office IT needs.
This shake-up has also raised concerns about FEMA’s capacity to maintain continuity programs critical to federal, state, local, tribal, and territorial governments’ ability to sustain essential functions and deliver critical services during emergencies. FEMA’s Office of National Continuity Programs, which guides the implementation and assessment of such continuity efforts, plays a central role in this area and could be affected by the sudden personnel changes. Historically, FEMA has managed various programs, some of which have been internalized or shifted under direct Department of Homeland Security (DHS) control, reflecting the evolving organizational structure and the agency’s complex operational demands.
The broader implications of these dismissals extend to FEMA’s ongoing response efforts across more than 100 disasters, including hurricanes and historic wildfires, where IT infrastructure and leadership are vital for efficient coordination and communication. Additionally, the agency faces structural challenges amid policy shifts and regulatory pauses, such as the recent internal memo halting enforcement of flood damage mitigation rules finalized under the Biden administration, which may further strain agency functions. This confluence of personnel changes and regulatory uncertainty has potential repercussions for FEMA’s ability to effectively manage disaster recovery, especially for vulnerable and underserved communities.
Moreover, the firings have occurred in a context of intensified internal scrutiny and security measures, including polygraph testing of high-ranking FEMA officials in a search for media leaks, indicating heightened tensions within the agency and DHS at large. Taken together, these organizational disruptions threaten to impair FEMA’s operational readiness, IT governance, and continuity capabilities during a critical period of frequent and complex disaster responses.
Long-term Implications
The dismissal of 24 key FEMA IT personnel, including the Chief Information Officer (CIO) and Chief Information Security Officer (CISO), by DHS Secretary Kristi Noem has raised significant concerns regarding the agency’s long-term operational stability and cybersecurity posture. This decisive action was prompted by the discovery of critical vulnerabilities within FEMA’s IT infrastructure, uncovered during a routine cybersecurity review ordered by Secretary Noem. These weaknesses had allowed unauthorized access to FEMA’s network, although officials confirmed that no sensitive data was stolen before the vulnerability was addressed.
In the aftermath, FEMA’s reputation has faced intensified scrutiny, not only due to cybersecurity lapses but also because of its historically criticized disaster response performance. The agency’s inability to safeguard its IT systems underscores systemic issues within its management and operational frameworks, which could hinder FEMA’s effectiveness in future disaster relief efforts and continuity of government operations.
The financial implications are substantial as well. Despite FEMA allocating nearly half a billion dollars toward IT and cybersecurity enhancements in Fiscal Year 2025, the outcomes have fallen short of expectations. Critics argue that this expenditure did not translate into tangible improvements, suggesting inefficiencies and mismanagement within FEMA’s IT leadership. The recent personnel dismissals signal a move toward accountability but also highlight the necessity for a comprehensive overhaul of FEMA’s approach to technology and risk management.
Moreover, the removal of key IT leadership raises concerns about potential disruptions to ongoing projects and the agency’s ability to maintain and advance critical systems supporting emergency response activities. FEMA’s role in coordinating with state and local governments, managing continuity of operations programs, and deploying specialized teams in disaster scenarios depends heavily on reliable IT infrastructure and communications capabilities. Any prolonged instability within its IT department could impede these vital functions.
In the broader context, the shake-up at FEMA reflects ongoing challenges faced by federal agencies in balancing the complexity of disaster response with robust cybersecurity measures. The episode serves as a cautionary example of how vulnerabilities in governmental IT systems can have cascading effects on national security and public trust, necessitating sustained attention and resource commitment to mitigate such risks in the future.
Investigations and Follow-up Actions
In the wake of the cybersecurity breach at the Federal Emergency Management Agency (FEMA), the Department of Homeland Security (DHS) launched a series of investigations and follow-up measures to address the security lapses uncovered. The breach was initially discovered during a routine cybersecurity review conducted by the DHS Office of the Chief Information Officer (OCIO),
Analysis and Expert Commentary
The dismissal of 24 key FEMA IT personnel, including the Chief Information Officer (CIO) and Chief Information Security Officer (CISO), by DHS Secretary Kristi Noem has sparked significant analysis from cybersecurity experts and policy commentators. The decision followed a routine cybersecurity review that revealed extensive vulnerabilities within FEMA’s information systems and networks. Experts have highlighted several critical failures, such as the absence of multi-factor authentication agency-wide, reliance on outdated and prohibited legacy protocols, unaddressed critical security flaws, and poor operational visibility—all of which collectively exposed FEMA’s network to a threat actor breach.
Cybersecurity analysts have pointed to these systemic issues as emblematic of longstanding institutional resistance to necessary reforms within FEMA’s IT leadership. Reports indicate that entrenched bureaucrats resisted inspections and allegedly misled officials about the scale and severity of the vulnerabilities, thereby exacerbating the agency’s exposure to cyber threats. This resistance to change has raised concerns about FEMA’s ability to protect critical infrastructure and sensitive citizen data amidst increasing cyber threats.
The fiscal dimension of the problem is also noteworthy. Despite FEMA’s expenditure of nearly half a billion dollars on IT and cybersecurity efforts in Fiscal Year 2025, tangible improvements remained elusive, fueling criticism that substantial public funds failed to translate into effective security outcomes. Observers have debated the accountability mechanisms within federal agencies and underscored the need for robust oversight and transparent reporting to prevent similar failings.
From a legal and administrative standpoint, some experts have underscored statutory protections that limit the Secretary of Homeland Security’s authority to curtail FEMA’s functions or capabilities, as outlined in 6 U.S.C. 316. These safeguards are designed to maintain FEMA’s disaster response efficacy irrespective of political changes or internal agency restructuring. Consequently, Noem’s actions have prompted discussions about balancing organizational reform with adherence to legislative mandates that govern FEMA’s operational autonomy.
Moreover, the broader implications of the breach and subsequent personnel dismissals have heightened public scrutiny not only of FEMA’s cybersecurity posture but also of its overall disaster response reliability. With the threat actor’s identity still unknown and investigations ongoing, the incident has been a catalyst for renewed calls to enhance cybersecurity frameworks and accountability within DHS and its subordinate agencies.
In sum, the expert commentary converges on the view that the crisis at FEMA reflects deeper structural and cultural challenges in federal IT management, emphasizing the urgency for comprehensive reforms and sustained leadership commitment to safeguard national security interests in the digital era.
Aftermath and Current Status
Following the discovery of major cybersecurity vulnerabilities within FEMA’s information systems, Secretary Kristi Noem took decisive action by terminating Chief Information Officer Charles Armstrong, Chief Information Security Officer Gregory Edwards, and 22 other IT personnel directly responsible for managing FEMA’s IT infrastructure. The vulnerabilities were uncovered during a routine cybersecurity review conducted by the Department of Homeland Security (DHS), which identified security lapses that allowed a threat actor to breach FEMA’s network. Although no sensitive data was extracted, the incident exposed critical weaknesses in the agency’s cybersecurity defenses.
The DHS promptly addressed the identified vulnerability to prevent any further unauthorized access or data loss. The dismissals underscore concerns about FEMA’s IT leadership and operational readiness, particularly given the agency’s critical role in managing disaster response and continuity of government functions. FEMA’s responsibility extends to overseeing and maintaining vital IT and communications infrastructure during both routine operations and emergency situations, making robust cybersecurity measures essential for its mission.
In the wake of these events, FEMA continues to operate under acting administrator David Richardson, who assumed the role in May and previously led a DHS office focused on weapons of mass destruction. Unlike some of his predecessors, Richardson lacks prior emergency management experience, raising additional questions about the agency’s leadership amid ongoing challenges.
Simultaneously, FEMA has indicated a “pause” in enforcing a recent flood mitigation rule finalized under President Biden, pending possible revision or rescission. This regulatory hold reflects the agency’s cautious approach amid broader operational and administrative shifts but also highlights procedural complexities, as formal revocation of regulations requires adherence to the Administrative Procedure Act, including public commentary.
The content is provided by Harper Eastwood, 11 Minute Read
