U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hotline

Report Fraud, Waste and Abuse
October 29, 2024
2024-OE-0002

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security (InfoSec) program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2024 annual assessment. HUD continued to take positive steps to improve its IT security posture.  HUD improved its InfoSec program to maturity level 3, consistently implemented.  However, at this level HUD’s InfoSec program is not considered effective.  HUD’s InfoSec program scored a 3.08 for the core metrics and a 3.30 for the FY 2024 supplemental metrics, both of which were at maturity level 3, consistently implemented.  HUD increased in maturity for 22 metrics and maintained the same maturity for the remaining 15 metrics.  Notably, not only did HUD achieve maturity level 4, managed and measurable, for the first time and it did so in 14 metrics. 

 

Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2024-OE-0002-01

    HUD OCIO should a) resolve the conflicts between its Inventory of Automated Systems (IAS) policy and web applications policy to clarify if web applications will be inventories in IAS, the web application Sharepoint site, or both; and b) implement the chosen resolution to this conflict to develop a consistent inventory of web applications (IG FISMA metric 1).

  •  
    Status
      Open
      Closed
    2024-OE-0002-02

    HUD OCIO should implement an automated governance, risk, and compliance tool to manage risk from all sources across the three tiers of the organization in a timely manner. This recommendation updates FY 2021 FISMA recommendation number 5 (IG FISMA metrics 5, 9, and 10).

  •  
    Status
      Open
      Closed
    2024-OE-0002-03

    HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

  •  
    Status
      Open
      Closed
    2024-OE-0002-04

    HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

  •  
    Status
      Open
      Closed
    2024-OE-0002-05

    HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).