U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Document
Document

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2020 annual assessment.

The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.  Please contact the Office of Evaluation at [email protected] to request a copy of this report.

Recommendation Status Date Issued Summary
2020-OE-0001-01 Open November 30, 2020

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.


Status

As of October 2023, the Office of the Chief Information Officer stated that it could not implement the requirements of this recommendation due to a lack of resources. OIG requested a risk-based decision or plan of actions and milestones as documentation of a plan to move forward when resources become available, which has not yet been provided.


Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision (RBD) memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

2020-OE-0001-02 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-03 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-04 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-05 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-06 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-07 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-08 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-09 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-10 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-11 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-12 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-13 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-14 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-15 Open November 30, 2020

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.


Status

In FY 2021, OCIO stated that new technologies were needed to implement HUD's strategy for Identity, Credential, and Access Management (ICAM) and that the previous ICAM plan would no longer be effective. HUD attempted to implement a new ICAM solution that year but did not progress past the planning phase. Executive Order 14028 required HUD to implement multifactor authentication by November 8, 2021.

HUD received half of the funding it requested from the Technology Modernization Fund (TMF) to implement another ICAM solution that is in-progress, and HUD held a strategic ICAM summit in late August 2023 to develop a strategy for implementation.


Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received. HUD OIG plans to assess this recommendation during the FY 2024 FISMA evaluation (fieldwork from March – May 2024) and add to our monthly recommendation meeting with HUD OCIO in late January 2024.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

2020-OE-0001-16 Open November 30, 2020

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.


Status

In FY 2021, the Office of the Chief Information Officer (OCIO) stated that new technologies were needed to implement HUD's strategy for Identity, Credential, and Access Management (ICAM) and that the previous ICAM plan would no longer be effective. HUD attempted to implement a new ICAM solution that year but did not progress past the planning phase. Executive Order 14028 required HUD to implement multifactor authentication by November 8, 2021.

HUD received half of the funding it requested from the Technology Modernization Fund (TMF) to implement another ICAM solution that is in-progress, and HUD held a strategic ICAM summit in late August 2023 to develop a strategy for implementation.


Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received. HUD OIG plans to assess this recommendation during the FY 2024 FISMA evaluation (fieldwork from March – May 2024) and add to our monthly recommendation meeting with HUD OCIO in late January 2024.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

2020-OE-0001-17 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-18 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-19 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-20 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-21 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-22 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-23 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-24 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-25 Closed November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.
2020-OE-0001-26 Open November 30, 2020 The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.