The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst, are largely…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the…

We identified gaps in Ginnie Mae’s guidance and process for troubled issuers.  Ginnie Mae made progress in developing an issuer default governance framework, but has not (1) defined its authorities for marketing troubled portfolios; (2) formalized guidance for how to identify potential buyers before extinguishment; (3) established expectations for determining portfolio value, price before sale, and evaluation against other options or (4)…

Ginnie Mae generally followed Federal guidance in precrisis planning and executed its crisis management strategy with respect to the COVID-19 pandemic.  However, it does not have an agencywide crisis readiness plan, addressing likely hazards arising from a crisis, or include all key elements in line with crisis guidance from CIGFO.

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on other, higher…

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced is key to…

We performed a corrective action verification review of the actions taken by the Government National Mortgage Association (Ginnie Mae) to implement the recommendations cited in Audit Report 2016-KC-0002, issued September 21, 2016. The HUD Handbook places the responsibility on HUD’s Office of Inspector General to perform selected corrective action verifications of significant audit recommendations when final actions have been completed.  Our…

We contracted with the independent public accounting firm of CliftonLarsonAllen LLP (CLA) to audit the financial statements of Ginnie Mae as of and for the fiscal years ended September 30, 2022 and 2021, and to provide reports on Ginnie Mae’s 1) internal control over financial reporting; and 2) compliance with laws, regulations, contracts, and grant agreements and other matters. Our contract with CLA required that the audit be performed in…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess…

The Federal Information Security Modernization Act of 2014 (FISMA) requires all federal agencies to conduct independent security technical verification testing on a sampling of information systems annually.  In conjunction with our fiscal year 2021 FISMA evaluation (2021-OE-0001), we conducted a targeted security testing assessment of sample systems that resulted in a Topic Brief.  The objective of this application vulnerability…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) ability to effectively complete information technology (IT) acquisitions.  HUD’s IT systems and its modernization plans depend heavily on contractors, yet HUD has historically faced significant challenges with implementing effective acquisition processes. Therefore, HUD’s acquisition capacity represents a key potential risk within HUD’s IT environment. We found that a…

The Chief Financial Officers Act of 1990 (Public Law 101-576), as amended, requires the Office of Inspector General to audit the financial statements of the Government National Mortgage Association (Ginnie Mae) annually. Attached are the U.S. Department of Housing and Urban Development (HUD), Office of Inspector General’s (OIG) results of the audit of Ginnie Mae fiscal years 2021 and 2020 financial statements and reports on internal control over…

The brief provides an update to the original 2018 topic brief, and highlights key challenges faced by HUD in managing and improving its IT program.  The brief is not based on new work, but is a summary of 83 reports and 788 recommendations from past HUD OIG and GAO reports. It discusses the present IT environment at HUD, previously identified and new IT-related challenges, and HUD’s efforts and progress in addressing these challenges.…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) modernization roadmap.  A significant number of HUD’s mission-essential applications have not been modernized, which presents multiple sources of risk.  These applications are hosted on legacy information systems and mainframe platforms, which are operationally inefficient, increasingly difficult to secure, and costly to maintain.…

We audited information systems controls over the U.S. Department of Housing and Urban Development’s (HUD) computing environment as part of the internal control assessments for the fiscal year 2019 financial statements audit under the Chief Financial Officer’s Act of 1990. Our objective was to assess general controls over HUD’s computing environment for compliance with HUD information technology policies and Federal information system security…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess…

This report presents the results of our audit of Ginnie Mae’s fiscal year 2020 financial statements, including our report on Ginnie Mae’s internal control and test of compliance with selected provisions of laws, regulations, and contracts applicable to Ginnie Mae. In fiscal year 2020, we were able to obtain sufficient, appropriate evidence to express an unmodified opinion on the fairness of Ginnie Mae’s financial statements. We also…

We audited selected controls of U.S. Department of Housing and Urban Development’s New Core Interface Solution application as part of the internal control assessments for the fiscal year 2019 financial statement audit.  Our objective was to review the controls for compliance with Federal information system security and financial management requirements. The OIG has determined that the contents of this audit report would not be appropriate…