The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.
HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst, are largely dependent on enterprise initiatives and technical solutions to effectively implement many zero trust controls. Housing conducted data inventories but was unable to automate the process and had not yet included FHA Catalyst in its inventories. HUD lacked enterprise data management processes, standards and technical solutions, which impacted Housing’s ability to manage data. Housing had not applied dynamic access controls within FHA Catalyst to limit access based on user actions and resource needs, and the system did not support continuous reauthentication of users based on their sessions. FHA Catalyst further lacked the capability for automated user activity logging, which is necessary to detect anomalies and help identify potential attacks. We issued 3 recommendations to improve Housing’s management of PII in a zero trust environment.
Open configuration options
Open configuration options
Recommendations
Housing
-
Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.
-
Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.
-
Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.
