We performed an audit of the Federal Emergency Management Agency’s (FEMA) privacy stewardship. Our audit objectives were to determine whether FEMA’s plans and activities instill a culture of privacy that protects sensitive personally identifiable information and whether FEMA ensures compliance with Federal privacy laws and policies. FEMA has made progress in implementing plans and activities to instill a culture of privacy. Specifically, it has established a privacy office that, among other functions, prepares reports on FEMA’s privacy activities to the Department of Homeland Security Privacy Office, reviews suspected privacy incidents, and oversees FEMA’s privacy training. However, FEMA faces a number of challenges in ensuring that personally identifiable information is protected. Specifically, it needs an accurate inventory of its information technology systems that impact privacy. In addition, FEMA needs to complete required privacy compliance analyses, including privacy threshold analyses, privacy impact assessments, and system of records notices, for 430 information technology systems that were reported as unauthorized.