U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Document
Document

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced is key to managing a flexible workforce and preparing for future emergencies.

HUD experienced challenges with its IT infrastructure while under mandatory telework. We found (1) there were significant delays in processing computer security updates, (2) users encountered months of network performance issues, (3) the user password expiration policy was not enforced, and (4) the help desk system did not capture complete data. These conditions occurred because HUD’s virtual private network (VPN) bandwidth was not sufficient to accommodate the significant increase in users’ simultaneously needing remote access and because there were limitations in the technical environment and weaknesses in the help desk system’s controls. As a result, (1) HUD was vulnerable to cyber-attacks and unauthorized access, (2) HUD’s ability to accomplish its mission could be affected, and (3) HUD did not have assurance that all IT problems reported by users were resolved. Although HUD experienced challenges during mandatory telework, HUD continued its operations; increased network capacity; and plans to make additional network improvements, resume password policy enforcement, and potentially replace its help desk system. HUD needs to fully address the underlying causes of the issues identified so that it can manage its flexible workforce in a way that minimizes risk and prepares it for future emergencies.

We recommend that HUD’s Office of the Chief Information Officer research, evaluate, and implement technical or alternative solutions to (1) deploy essential computer software updates using secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations; (2) provide additional improvements to VPN-related remote working capabilities, including performing routine VPN stress tests as part of its contingency planning and testing processes; (3) resolve user account management issues; and (4) assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. These measures include but are not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2023-FO-0008-001-A
    Closed on May 24, 2023

    Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

  •  
    Status
      Open
      Closed
    2023-FO-0008-002-A
    Closed on May 24, 2023

    Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

  •  
    Status
      Open
      Closed
    2023-FO-0008-002-B
    Closed on May 24, 2023

    Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

  •  
    Status
      Open
      Closed
    2023-FO-0008-003-A
    Closed on October 02, 2024

    Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

  •  
    Status
      Open
      Closed
    2023-FO-0008-004-A

    Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.