The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data.  In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust...

HUD OIG is conducting the Fiscal Year (FY) 2025 evaluation of the HUD's information security (InfoSec) program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). The objectives are to (1) perform an independent evaluation of the effectiveness of HUD’s InfoSec program and practices as required by FISMA; (2) test the effectiveness of HUD’s InfoSec policies, procedures, and practices through...

The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst,...

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to...

 The Geospatial Data of 2018 (the Act) governs the collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data of covered agencies, including the U.S. Department of Housing and Urban Development (HUD).  We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the geospatial data requirements stated in the Act.  The Act requires the Inspector...

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to...

HUD OIG is performing this evaluation to assess HUD’s capability to meet privacy and data protection requirements and provide appropriate stakeholders with an understanding of any related potential risks to HUD’s data and the operational mission. The evaluation will also provide HUD an independent assessment of the level of maturity it has reached in developing the data and identify pillars of CISA's zero-trust architecture. The...

HUD OIG is conducting the Fiscal Year (FY) 2024 evaluation of the HUD's information security program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). The objectives are to (1) assess the maturity level of HUD’s InfoSec program and practices based on the annual IG FISMA reporting metrics. The assessment will include 20 core IG metrics that are evaluated annually and group 2 of the...

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on...

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced...

HUD OIG is conducting the Fiscal Year (FY) 2023 evaluation of the HUD's information security program and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). The objectives are to (1) assess the maturity level of HUD’s IS programs and practices based on the annual IG FISMA reporting metrics. The assessment will include 20 core IG metrics that are evaluated annually and group 1 of the...

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation...

We audited the U.S. Department of Housing and Urban Development’s (HUD) efforts to meet the Geospatial Data Act of 2018 (the Act). Our audit objective was to determine whether HUD met the 13 responsibilities stated in the Act with regard to its collection, production, acquisition, maintenance, distribution, use, and preservation of geospatial data.  The Act also generally requires covered agencies provide access to geospatial...

HUD OIG is conducting the Fiscal Year (FY) 2022 evaluation of the HUD's information security program and practices, as required by the Federal Information Security Modernization Act (FISMA) of 2014. The objectives are to (1) assess the maturity level of HUD's information security policies and procedures, (2) prepare responses for the core Inspector General (IG) FISMA reporting metrics, and (3) test and verify the technical...

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) ability to effectively complete information technology (IT) acquisitions.  HUD’s IT systems and its modernization plans depend heavily on contractors, yet HUD has historically faced significant challenges with implementing effective acquisition processes. Therefore, HUD’s acquisition capacity represents a key potential risk within HUD’s IT environment. We...

In February 2021, the Office of the Chief Information Officer (OCIO) identified funding risks with the development contract under which HUD contracted for Federal Housing Administration (FHA) Catalyst’s development.  In response, HUD officials took steps to slow FHA Catalyst spending on the contract while awaiting approval for additional contract funds.  Despite efforts to slow project spending, it was not enough to prevent...

The U.S. Department of Housing and Urban Development’s (HUD) Office of Inspector General (OIG) is initiating an evaluation of HUD’s Robotics Process Automation (RPA) program. The evaluation objective is to assess the maturity of HUD’s RPA activities and determine whether HUD implemented related controls to address technology and program management risks. The evaluation scope will include assessing the sufficiency of information...

HUD OIG is evaluating the potential delays in the development of the U.S. Department of Housing and Urban Development (HUD) Federal Housing Administration (FHA) Catalyst. Our objective is to determine why HUD paused work on FHA Catalyst, what caused that pause, whether and to what extent HUD is back to working on FHA Catalyst, and what are the revised dates for completion. 

HUD OIG is auditing HUD’s proactive communication to homeowners with FHA-insured single family mortgages.  The CARES Act and various HUD guidance contain key information that is relevant for homeowners such as details about mortgage loan forbearance protections.  Our objective is to assess HUD’s communication to homeowners through its website, joint website, and other proactive methods about protections, repayment options,...

We will review HUD OCIO’s most recent IT modernization roadmap and strategy along with any other supporting documentation HUD can provide regarding modernization progress and milestones. Specifically, we will identify the various ongoing modernization projects within the roadmap and obtain documentation about the status of the individual projects. We will interview HUD officials knowledgeable about HUD’s modernization plans to confirm...