U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Línea Directa

REPORTAR FRAUDE, DESPERDICIO O ABUSO
  • Recommendation Number: 2024-OE-0002a-01
  • Status: Open
  • Date Issued: Diciembre 11, 2024

HUD OCIO should block access to commonly used cloud storage URLs that are not associated with a verified business need.

Publication Report

2024-OE-0002a | Diciembre 11, 2024

Fiscal Year 2024 Federal Information Security Modernization Act of 2014 Penetration Test

The U.S. Department of Housing and Urban Development (HUD) Office of Inspector General (OIG) conducted penetration testing concurrently with our fiscal year 2024 Federal Information Security Modernization Act of 2014 (FISMA) evaluation. The objective of... más

Related Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2024-OE-0002a-02
    Summary

    HUD OCIO should mitigate the risk of data exfiltration and block the use of external storage devices, such as optical drives, cell phones, and tablets, that have not been formally approved for use based on a verified business need.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-03
    Summary

    HUD OCIO should enhance data loss prevention configurations and continue efforts to implement user and entity behavior analytics solutions. Both solutions should be appropriately configured to effectively identify and prevent the exfiltration of sensitive data, including PII, while addressing the limitations of pattern-based detection methods.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-04
    Summary

    HUD OCIO should conduct an assessment, including tests of existing controls, to identify gaps in network traffic monitoring coverage and develop plans to address these gaps.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-05
    Summary

    HUD OCIO should conduct an assessment to evaluate the potential for data exfiltration from non-GFE devices and implement appropriate controls to address the identified risks. Such controls could include blocking the use of non-GFE devices, limiting data access for sensitive fields during remote access, prohibiting the download of sensitive data to non-GFE devices, requiring the use of virtual desktop infrastructure with non-GFE devices, and implementing network access control to validate the security posture of non-GFE devices.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-06
    Summary

    HUD OCIO, in coordination with CPD, should implement and enforce a whitelist of trusted sites for resource sharing in DRGR

  •  
    Status
      Open
      Closed
    2024-OE-0002a-07
    Summary

    HUD OCIO, in coordination with the Office of Housing, CPD, and OCFO, should configure FHA Catalyst, DRGR, and LOCCS web servers to ensure that all HTTP request headers are properly validated and processed to address the risk of CSD.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-08
    Summary

    HUD OCIO, in coordination with CPD, OCFO, and PIH, should configure DRGR, LOCCS, and NSPIRE content security policies to ensure that only necessary web server resources are accessible by clients.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-09
    Summary

    HUD OCIO, in coordination with OCFO, should update the LOCCS web server software to a newer version of ColdFusion or to a similar web application hosting platform that receives regular updates and security patches.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-10
    Summary

    HUD OCIO, in coordination with OCFO, should ensure that the LOCCS testing and production environments appropriately limit access to client bank account information, ensuring that individual users have only the minimum level of access necessary to perform their duties. This measure should include masking all or part of bank account numbers when appropriate.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-11
    Summary

    HUD OCIO, in coordination with the Office of Housing, should ensure that sensitive information in the Parameter Store is stored securely with encryption; for example, by using the “SecureString” format, which encrypts the data using the AWS Key Management Service. Additionally, authenticators in the Parameter Store should be rotated in accordance with Federal requirements and applicable HUD policy.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-12
    Summary

    HUD OCIO, in coordination with the Office of Housing, should ensure that private keys are appropriately stored and managed; for example, by using the Amazon Web Services Key Management Service, configured for compliance with FIPS 140-2.

  •  
    Status
      Open
      Closed
    2024-OE-0002a-13
    Summary

    HUD OCIO, in coordination with the Office of Housing, should ensure that only necessary and current FHA Catalyst pages are accessible to users.