HUD Fiscal Year 2018 Federal Information Security Modernization Act of 2014 (FISMA) Evaluation Report | Office of Inspector General, Department of Housing and Urban Development

October 31, 2018

Chief Information Officer

2018-OE-0003

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2018 annual assessment.

The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials. Please contact the Office of Evaluation at [email protected] to request a copy of this report.

Recommendations

Recommendation	Status	Date Issued	Summary
2018-OE-0003-01	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-02	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-03	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-04	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-05	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-06	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-07	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-08	Open	October 31, 2018	Implement and formally document a regularly scheduled credentialed (authenticated) vulnerability scan program of all network components and applications, including web applications, in accordance with HUD risk management decisions. This recommendation replaces FY 2015 recommendation number 2 and updates FY 2016 recommendation number 4 (derived from OIG FISMA metric 18).
2018-OE-0003-09	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-10	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-11	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-12	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-13	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-14	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-15	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-16	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-17	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-18	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-19	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-20	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-21	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-22	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-23	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-24	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-25	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-26	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-27	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-28	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-29	Closed	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2018-OE-0003-30	Open	October 31, 2018	The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.