U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hotline

Report Fraud, Waste and Abuse
November 30, 2020
  • Chief Information Officer
2020-OE-0001
Return to Index

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2020 annual assessment.

The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.  Please contact the Office of Evaluation at [email protected] to request a copy of this report.

Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2020-OE-0001-01
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Priority
    Priority

    We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.

    Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

    Status

    In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to create rules for allowing only authorized software to be used through HUD's endpoint security software. Final implementation of this new tool is expected by Quarter 2 of FY 2025.

    Analysis

    To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision memorandum.

    Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

  •  
    Status
      Open
      Closed
    2020-OE-0001-02
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-03
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-04
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on June 09, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-05
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on October 04, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-06
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on September 09, 2021

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-07
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-08
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on February 10, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-09
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-10
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on September 16, 2021

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-11
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on May 30, 2024

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-12
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on February 24, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-13
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-14
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on August 30, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-15
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Priority
    Priority

    We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.

    Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

    Status

    In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

    Analysis

    Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

  •  
    Status
      Open
      Closed
    2020-OE-0001-16
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Priority
    Priority

    We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.

    Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

    Status

    In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

    Analysis

    Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

  •  
    Status
      Open
      Closed
    2020-OE-0001-18
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on July 25, 2024

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-19
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on July 25, 2024

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-20
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on April 21, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-21
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on September 16, 2021

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-22
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on July 25, 2024

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-23
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-24
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on July 08, 2021

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-25
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on May 13, 2021

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2020-OE-0001-26
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on July 01, 2024

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Office of Administration

  •  
    Status
      Open
      Closed
    2020-OE-0001-17
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    Closed on March 10, 2022

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.