The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
Publication Report
2021-OE-0001 | February 17, 2022
Fiscal Year 2021 Federal Information Security Modernization Act (FISMA) Evaluation Report
The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget… moreRelated Recommendations
Chief Information Officer
- Status2021-OE-0001-02OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-03OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-04OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-05OpenClosedClosed on April 30, 2025SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-06OpenClosedClosed on October 10, 2023SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-07OpenClosedClosed on September 16, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-08OpenClosedClosed on August 20, 2025SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
PriorityPriorityWe believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements. This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations.
Corrective Action
HUD finalized its Supply Chain Risk Management (SCRM) policy in April 2025, which utilizes a SCRM questionnaire to assess each vendor’s supply chain risk, and identifies and prioritizes risks accordingly. HUD’s SCRM program team manages a supply chain risk register which records prior and current vendors, and those that have undergone risk assessments to maintain visibility into its upstream suppliers and track changes over time. HUD also used multiple tools such as supply chain risk criteria and sourcing research and market analysis to evaluate vendors and strengthen protection of the supply chain during acquisition. By implementing these procedures, as well as, having HUD’s program management team conducting annual and quarterly performance reviews for all vendors, HUD ensures contractors are meeting their contractual obligations.
- Status2021-OE-0001-09OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-10OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-11OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-12OpenClosedClosed on October 17, 2023SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-13OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-14OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-15OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-16OpenClosedClosed on July 01, 2025SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-17OpenClosedClosed on August 05, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-18OpenClosedClosed on September 20, 2022SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-19OpenClosedClosed on October 04, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-20OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-21OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-22OpenClosedSensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
- Status2021-OE-0001-23OpenClosedClosed on August 05, 2024SensitiveSensitive
Sensitive information refers to information that could have a damaging import if released to the public and, therefore, must be restricted from public disclosure.
The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.