Skip to main content
Date Issued
Submitting OIG
Department of Housing and Urban Development OIG
Agencies Reviewed/Investigated
Department of Housing and Urban Development
Report Number
2022-OE-0001
Report Description

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program.  FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2022 annual assessment. The OIG has determined that the contents of this report would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

 

Open configuration options

Open configuration options

Recommendations

 

Chief Information Officer

  •   2022-OE-0001-01

     

    HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

     

  •   2022-OE-0001-02

     

    HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

     

  •   2022-OE-0001-03

     

    HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

     

  •   2022-OE-0001-04

    Sensitive

     

    The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

     

  •   2022-OE-0001-05

    Closed on August 05, 2024

     

    HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

Report Type
Audit
Agency Wide
Yes
Number of Recommendations
0
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No
Hide this report from display
Yes

Open Recommendations

This report has 4 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
2022-OE-0001-01 No $0 $0

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

2022-OE-0001-02 No $0 $0

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

2022-OE-0001-03 No $0 $0

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

2022-OE-0001-04 No $0 $0

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Department of Housing and Urban Development OIG

United States