The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2020 annual assessment. The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. Please contact the Office of Evaluation at [email protected] to request a copy of this report.
Recommendations
Chief Information Officer
- Status2020-OE-0001-01OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.
Status
HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.
Analysis
To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.
HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.
The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.
- Status2020-OE-0001-02OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-03OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-04OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on June 09, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-05OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on October 04, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-06OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on September 09, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-07OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-08OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on February 10, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-09OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-10OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on September 16, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-11OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on May 30, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-12OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on February 24, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-13OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-14OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on August 30, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-15OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.
Status
The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.
Analysis
To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.
Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.
- Status2020-OE-0001-16OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.
Status
The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.
Analysis
To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.
Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.
- Status2020-OE-0001-18OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-19OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-20OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on April 21, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-21OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on September 16, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-22OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 25, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-23OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 01, 2025The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-24OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 08, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-25OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on May 13, 2021The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2020-OE-0001-26OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on July 01, 2024The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
Office of Administration
- Status2020-OE-0001-17OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
Closed on March 10, 2022The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.