The U.S. Department of Housing and Urban Development (HUD) Office of Inspector General (OIG) conducted penetration testing concurrently with our fiscal year 2024 Federal Information Security Modernization Act of 2014 (FISMA) evaluation. The objective of the penetration testing evaluation was to test the technical implementation of a limited set of security controls for a selection of HUD information systems and applications: the Office of Housing’s Federal Housing Administration Catalyst system, the Office of the Chief Financial Officer’s Line of Credit Control System (LOCCS), the Office of Community Planning and Development’s Disaster Recovery Grant Reporting (DRGR) system, and the Office of Public and Indian Housing’s National Standards for the Physical Inspection of Real Estate (NSPIRE) system.
Our assessment identified nine significant weaknesses related to data protection and website security, underscoring the need to strengthen technical security controls. To address these findings, we provide 13 new recommendations, which will be formally tracked by our office, and 7 opportunities for improvement. These recommendations are designed to enhance HUD’s IT security posture by preventing unauthorized data access, ensuring the integrity and confidentiality of sensitive information, and protecting against web-based threats.
OIG has determined that this report contains sensitive information and is therefore not appropriate for public disclosure.
