The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII). HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data. In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust pillars established by CISA; however, by FY 2024, HUD had made limited progress in the initiatives established in its plan. In FY 2024, HUD began to implement some technical controls to support identity pillar functions but lacked overall direction and a clear plan to make significant zero trust progress. HUD did not have an automated process to inventory or categorize data, which restricted its visibility into its PII. HUD monitored its information technology (IT) and cybersecurity risks through its OCIO risk register process; However, the register did not contain specific ZTA implementation risks. HUD did not ensure that systems applied granular access controls, including access tailored to individual actions and individual resource needs. Lastly, agencies were required to fully implement multifactor authentication (MFA) by November 2021 and phishing-resistant MFA for external users by January 2023. As of May 2024, HUD had begun phishing-resistant MFA implementation for just one of its authentication systems. We issued six recommendations to improve HUD’s management of PII in a zero trust environment.
Recommendations
Chief Information Officer
-
Status2023-OE-0007-01OpenClosedClosed on June 03, 2025
HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.
-
Status2023-OE-0007-02OpenClosedClosed on June 03, 2025
HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.
-
Status2023-OE-0007-04OpenClosed
HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.
-
Status2023-OE-0007-06OpenClosed
HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.
Policy Development & Research
-
Status2023-OE-0007-03OpenClosedPriorityPriority
We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.
Status
HUD is working on a plan to address the recommendation. HUD OIG anticipates receiving a corrective action plan no later than April 11, 2025, with a plan for resolving this recommendation.
Analysis
By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-003 to be addressed by HUD.
HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.
Office of Administration
-
Status2023-OE-0007-05OpenClosed
HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).