U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hotline

Report Fraud, Waste and Abuse
  • Recommendation Number: 2023-OE-0007-06
  • Status: Open
  • Date Issued: December 12, 2024

HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

Publication Report

2023-OE-0007 | December 12, 2024

U.S. Department of Housing and Urban Development Personally Identifiable Information Risk Management in a Zero Trust Environment (2023-OE-0007) Evaluation Report

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain PII… more

Related Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2023-OE-0007-01

    HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

  •  
    Status
      Open
      Closed
    2023-OE-0007-02

    HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

  •  
    Status
      Open
      Closed
    2023-OE-0007-04

    HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

Policy Development & Research

  •  
    Status
      Open
      Closed
    2023-OE-0007-03

    The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Office of Administration

  •  
    Status
      Open
      Closed
    2023-OE-0007-05

    HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

Housing

  •  
    Status
      Open
      Closed
    2023-OE-0007a-01

    Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

  •  
    Status
      Open
      Closed
    2023-OE-0007a-02

    Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

  •  
    Status
      Open
      Closed
    2023-OE-0007a-03

    Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.