HUD FY 2023 Federal Information Security Modernization Act (FISMA) Evaluation Report

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security (InfoSec) program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2023 annual assessment. HUD’s InfoSec program averaged a score of 2.60 for the 20 core metrics and a 2.86 for the FY 2023 supplemental metrics, both of which are at the “defined” maturity level and are considered not effective. Although HUD improved overall, four of the five metrics in which HUD dropped in maturity were core metrics. HUD made commendable progress on increasing maturity on 10 metrics and should continue to focus on prioritizing maturity in the 20 core metrics and key cyber executive orders and requirements. These efforts will require a shared responsibility of proper resourcing, planning, and support from all levels of leadership across the Department. We issued 23 recommendations to improve HUD’s InfoSec program.