HUD FY 2025 Federal Information Security Modernization Act (FISMA) Evaluation Report

The Federal Information Security Modernization Act of 2014 (FISMA) directs Inspectors General to conduct an annual evaluation of the agency information security program. FISMA, Department of Homeland Security (DHS), Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) establish information technology (IT) security guidance and standards for Federal agencies. We conducted this evaluation to assess the overall effectiveness of the Department of Housing and Urban Development’s information security (InfoSec) program, assess their compliance with Federal guidance, and respond to OMB reporting questions for the fiscal year 2025 annual assessment.  In FY 2025, we assessed HUD at maturity level 3, consistently implemented, for its overall InfoSec program.  HUD has made incremental progress across its InfoSec program and should continue to take steps to improve the security of its IT systems and assets, which will lead to an increase in its FISMA maturity level.  We assessed HUD’s maturity across 25 metrics.  HUD scored 3.13 in the 20 core metrics that we have assessed every year since FY 2022, and it scored 2.67 in the 5 supplemental metrics that were first assessed in FY 2025.