The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
Publication Report
2020-OE-0001 | November 30, 2020
HUD Fiscal Year 2020 Federal Information Security Modernization Act of 2014 (FISMA) Evaluation Report
The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget… moreRelated Recommendations
Chief Information Officer
- Status2020-OE-0001-01OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.
Status
In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to create rules for allowing only authorized software to be used through HUD's endpoint security software. Final implementation of this new tool is expected by Quarter 2 of FY 2025.
Analysis
To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision memorandum.
Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.
- Status2020-OE-0001-02OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-03OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-04OpenClosedClosed on June 09, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-05OpenClosedClosed on October 04, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-06OpenClosedClosed on September 09, 2021SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-07OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-08OpenClosedClosed on February 10, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-09OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-10OpenClosedClosed on September 16, 2021SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-11OpenClosedClosed on May 30, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-12OpenClosedClosed on February 24, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-13OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-14OpenClosedClosed on August 30, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-15OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.
Status
The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.
Analysis
To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.
Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.
- Status2020-OE-0001-16OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.
Status
The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.
Analysis
To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.
Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.
- Status2020-OE-0001-18OpenClosedClosed on July 25, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-19OpenClosedClosed on July 25, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-20OpenClosedClosed on April 21, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-21OpenClosedClosed on September 16, 2021SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-22OpenClosedClosed on July 25, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-23OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-24OpenClosedClosed on July 08, 2021SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-25OpenClosedClosed on May 13, 2021SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
Office of Administration
- Status2020-OE-0001-17OpenClosedClosed on March 10, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.