The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst,…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to…

The Office of Evaluation began preliminary research related to the Program Management Improvement Accountability Act (PMIAA) of 2016.  The objective was to determine how HUD has implemented and complied with the requirements of PMIAA.  After completing informational interviews with HUD officials and reviewing related documentation, we have determined that a full evaluation is premature at this time because HUD is still…

We audited the U.S. Department of Housing and Urban Development’s (HUD) Office of the Chief Procurement Officer’s use of its quality assurance surveillance plan (QASP) for its Atlanta Homeownership Center field service management (FSM) housing contracts.  We initiated the audit to support HUD’s priority on increasing efficiency in procurement.  An assessment of HUD’s use of its QASP, as part of its 3.10 FSM 5-year contract…

We conducted this evaluation to assess the maturity of HUD’s Robotic process automation (RPA) activities and determine whether HUD had implemented related controls to address technology and program management risks.  RPA is a software technology used to emulate human actions on a computer.  RPA software programs, referred to as “bots,” can complete repetitive tasks quickly and consistently, freeing up employees to work on…

We audited the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) infrastructure to support mandatory telework. During mandatory telework, more employees simultaneously needed remote access to HUD’s network and agency resources for an extended period, which presented unique risks and security requirements. While HUD is no longer operating under mandatory telework, understanding the challenges it faced…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation…

We audited the U.S. Department of Housing and Urban Development’s (HUD) transitioning of offices from mandatory to maximum telework during the coronavirus disease 2019 (COVID-19) pandemic, based on a request from Representative Gerald Connolly, to review whether HUD was employing best practices and existing guidance when deciding whether or when to require Federal employees to return to their offices.  Transitioning an office to…

The Federal Information Security Modernization Act of 2014 (FISMA) requires all federal agencies to conduct independent security technical verification testing on a sampling of information systems annually.  In conjunction with our fiscal year 2021 FISMA evaluation (2021-OE-0001), we conducted a targeted security testing assessment of sample systems that resulted in a Topic Brief.  The objective of this application…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) ability to effectively complete information technology (IT) acquisitions.  HUD’s IT systems and its modernization plans depend heavily on contractors, yet HUD has historically faced significant challenges with implementing effective acquisition processes. Therefore, HUD’s acquisition capacity represents a key potential risk within HUD’s IT environment. We…

The brief provides an update to the original 2018 topic brief, and highlights key challenges faced by HUD in managing and improving its IT program.  The brief is not based on new work, but is a summary of 83 reports and 788 recommendations from past HUD OIG and GAO reports. It discusses the present IT environment at HUD, previously identified and new IT-related challenges, and HUD’s efforts and progress in addressing these…

While some of HUD’s efforts to improve its hiring and human capital functions and reduce its average time-to-hire have been successful, HUD’s hiring process overall was not efficient.  HUD’s Office of the Chief Human Capital Officer (OCHCO), which is responsible for developing and implementing policies and procedures associated with human capital management, set a goal to reduce the average time-to-hire but did not meet this goal…

We reviewed the U.S. Department of Housing and Urban Development’s (HUD) information technology (IT) modernization roadmap.  A significant number of HUD’s mission-essential applications have not been modernized, which presents multiple sources of risk.  These applications are hosted on legacy information systems and mainframe platforms, which are operationally inefficient, increasingly difficult to secure, and costly to…

We audited rent credits that the U.S. Department of Housing and Urban Development (HUD) received from the U.S. General Services Administration (GSA) during fiscal years 2015 through 2018 in exchange for financial contributions for building improvements.  We initiated this audit due to concerns we identified while completing a review of HUD’s use of funds approved by Congress for building improvements.[1]  Our objective was to…

We audited information systems controls over the U.S. Department of Housing and Urban Development’s (HUD) computing environment as part of the internal control assessments for the fiscal year 2019 financial statements audit under the Chief Financial Officer’s Act of 1990. Our objective was to assess general controls over HUD’s computing environment for compliance with HUD information technology policies and Federal information system…

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation…

We audited selected controls of U.S. Department of Housing and Urban Development’s New Core Interface Solution application as part of the internal control assessments for the fiscal year 2019 financial statement audit.  Our objective was to review the controls for compliance with Federal information system security and financial management requirements. The OIG has determined that the contents of this audit report would not be…

We evaluated the U.S. Department of Housing and Urban Development (HUD) practices for identifying and protecting personally identifiable information (PII).  The evaluation assessed HUD’s current capabilities to properly manage and protect PII and to properly maintain paper and electronic PII records.  This evaluation was conducted in conjunction with the fiscal year (FY) 2019 Federal Information Security Act of 2014 (FISMA)…