U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hotline

Report Fraud, Waste and Abuse
December 12, 2024
2023-OE-0007

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data.  In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust pillars established by CISA; however, by FY 2024, HUD had made limited progress in the initiatives established in its plan.  In FY 2024, HUD began to implement some technical controls to support identity pillar functions but lacked overall direction and a clear plan to make significant zero trust progress. HUD did not have an automated process to inventory or categorize data, which restricted its visibility into its PII. HUD monitored its information technology (IT) and cybersecurity risks through its OCIO risk register process; However, the register did not contain specific ZTA implementation risks. HUD did not ensure that systems applied granular access controls, including access tailored to individual actions and individual resource needs. Lastly, agencies were required to fully implement multifactor authentication (MFA) by November 2021 and phishing-resistant MFA for external users by January 2023.  As of May 2024, HUD had begun phishing-resistant MFA implementation for just one of its authentication systems. We issued six recommendations to improve HUD’s management of PII in a zero trust environment.

Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2023-OE-0007-01
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2023-OE-0007-02
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2023-OE-0007-04
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

  •  
    Status
      Open
      Closed
    2023-OE-0007-06
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Policy Development & Research

  •  
    Status
      Open
      Closed
    2023-OE-0007-03
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Office of Administration

  •  
    Status
      Open
      Closed
    2023-OE-0007-05
    Sensitive
    Sensitive

    Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Housing

  •  
    Status
      Open
      Closed
    2023-OE-0007a-01

    Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

  •  
    Status
      Open
      Closed
    2023-OE-0007a-02

    Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

  •  
    Status
      Open
      Closed
    2023-OE-0007a-03

    Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.