Skip to main content
Date Issued
Submitting OIG
Department of Housing and Urban Development OIG
Agencies Reviewed/Investigated
Department of Housing and Urban Development
Components
Chief Information Officer
Report Number
2023-OE-0007a
Report Description

The OIG evaluated the U.S. Department of Housing and Urban Development (HUD) Office of Housing’s (Housing) progress in applying zero trust security principles to protect personally identifiable information (PII) within the Federal Housing Administration (FHA) Catalyst system.

HUD was in the beginning stages of implementing zero trust requirements for the data and identity pillars. HUD Office of Housing systems, including FHA Catalyst, are largely dependent on enterprise initiatives and technical solutions to effectively implement many zero trust controls. Housing conducted data inventories but was unable to automate the process and had not yet included FHA Catalyst in its inventories.  HUD lacked enterprise data management processes, standards and technical solutions, which impacted Housing’s ability to manage data. Housing had not applied dynamic access controls within FHA Catalyst to limit access based on user actions and resource needs, and the system did not support continuous reauthentication of users based on their sessions.  FHA Catalyst further lacked the capability for automated user activity logging, which is necessary to detect anomalies and help identify potential attacks.  We issued 3 recommendations to improve Housing’s management of PII in a zero trust environment.

 

Open configuration options

Open configuration options

Recommendations

 

Housing

  •   2023-OE-0007a-01

     

    Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

     

  •   2023-OE-0007a-02

     

    Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

     

  •   2023-OE-0007a-03

     

    Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.  

Report Type
Inspection / Evaluation
Agency Wide
Yes
Number of Recommendations
0
Questioned Costs
$0
Funds for Better Use
$0
Report updated under NDAA 5274
No

Open Recommendations

This report has 3 open recommendations.
Recommendation Number Significant Recommendation Recommended Questioned Costs Recommended Funds for Better Use Additional Details
2023-OE-0007a-01 No $0 $0

Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

2023-OE-0007a-02 No $0 $0

Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

2023-OE-0007a-03 No $0 $0

Housing should coordinate with HUD's SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process. "'

Department of Housing and Urban Development OIG

United States