U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Línea Directa

REPORTAR FRAUDE, DESPERDICIO O ABUSO
  • Recommendation Number: 2023-OE-0007-04
  • Status: Open
  • Date Issued: Diciembre 12, 2024

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

Publication Report

2023-OE-0007 | Diciembre 12, 2024

U.S. Department of Housing and Urban Development Personally Identifiable Information Risk Management in a Zero Trust Environment (2023-OE-0007) Evaluation Report

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII).  HUD maintained a significant number of records that contain... más

Related Recommendations

Chief Information Officer

  •  
    Status
      Open
      Closed
    2023-OE-0007-01
    Closed on Junio 03, 2025
    Summary

    HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

  •  
    Status
      Open
      Closed
    2023-OE-0007-02
    Closed on Junio 03, 2025
    Summary

    HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

  •  
    Status
      Open
      Closed
    2023-OE-0007-06
    Summary

    HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

Policy Development & Research

  •  
    Status
      Open
      Closed
    2023-OE-0007-03
    Prioridad
    Priority

    We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.

    Summary

    The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

    Status

    HUD provided a corrective action plan for this recommendation in May 2025. The planned corrective action requires the agency to acquire a data management system, develop cataloging standards, and coordinate with the program offices stated in the recommendation to ensure data is handled in a secure manner. The procurement process has not yet begun, yet in their initial plans, HUD will require vendor support to develop this tool. The estimated completion date of this recommendation is September 2027.

    Analysis

    By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-03 to be addressed by HUD.

    HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

Office of Administration

  •  
    Status
      Open
      Closed
    2023-OE-0007-05
    Summary

    HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).