The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001 | November 30, 2020
HUD Fiscal Year 2020 Federal Information Security Modernization Act of 2014 (FISMA) Evaluation Report
Chief Information Officer
  
  - Status2020-OE-0001-05OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on October 04, 2022
- Status2020-OE-0001-06OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on September 09, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-07OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-08OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on February 10, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-09OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-10OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on September 16, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-11OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on May 30, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-12OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on February 24, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-13OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-14OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on August 30, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-15OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all. Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII. 
 Status The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement. 
 Analysis To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide. Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices. 
- Status2020-OE-0001-16OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all. Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII. 
 Status The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement. 
 Analysis To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide. Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices. 
- Status2020-OE-0001-18OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-19OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-20OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on April 21, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-21OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on September 16, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-22OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-23OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on July 01, 2025The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-24OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on July 08, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
- Status2020-OE-0001-25OpenClosedSensitiveSensitiveSensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure. Closed on May 13, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. 
 
                   
                  