We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced is key to managing a flexible workforce and preparing for future emergencies.
HUD experienced challenges with its IT infrastructure while under mandatory telework. We found (1) there were significant delays in processing computer security updates, (2) users encountered months of network performance issues, (3) the user password expiration policy was not enforced, and (4) the help desk system did not capture complete data. These conditions occurred because HUD’s virtual private network (VPN) bandwidth was not sufficient to accommodate the significant increase in users’ simultaneously needing remote access and because there were limitations in the technical environment and weaknesses in the help desk system’s controls. As a result, (1) HUD was vulnerable to cyber-attacks and unauthorized access, (2) HUD’s ability to accomplish its mission could be affected, and (3) HUD did not have assurance that all IT problems reported by users were resolved. Although HUD experienced challenges during mandatory telework, HUD continued its operations; increased network capacity; and plans to make additional network improvements, resume password policy enforcement, and potentially replace its help desk system. HUD needs to fully address the underlying causes of the issues identified so that it can manage its flexible workforce in a way that minimizes risk and prepares it for future emergencies.
We recommend that HUD’s Office of the Chief Information Officer research, evaluate, and implement technical or alternative solutions to (1) deploy essential computer software updates using secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations; (2) provide additional improvements to VPN-related remote working capabilities, including performing routine VPN stress tests as part of its contingency planning and testing processes; (3) resolve user account management issues; and (4) assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. These measures include but are not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.