U.S. Department of Housing and Urban Development Personally Identifiable Information Risk Management in a Zero Trust Environment (2023-OE-0007) Evaluation Report

The OIG evaluated the U.S. Department of Housing and Urban Development’s (HUD) progress in applying zero trust security principles to protect personally identifiable information (PII). HUD maintained a significant number of records that contain PII with limited zero trust controls in place to secure these data. In FY 2022, HUD established a zero trust implementation plan to help the agency address the five zero trust pillars established by CISA; however, by FY 2024, HUD had made limited progress in the initiatives established in its plan. In FY 2024, HUD began to implement some technical controls to support identity pillar functions but lacked overall direction and a clear plan to make significant zero trust progress. HUD did not have an automated process to inventory or categorize data, which restricted its visibility into its PII. HUD monitored its information technology (IT) and cybersecurity risks through its OCIO risk register process; However, the register did not contain specific ZTA implementation risks. HUD did not ensure that systems applied granular access controls, including access tailored to individual actions and individual resource needs. Lastly, agencies were required to fully implement multifactor authentication (MFA) by November 2021 and phishing-resistant MFA for external users by January 2023. As of May 2024, HUD had begun phishing-resistant MFA implementation for just one of its authentication systems. We issued six recommendations to improve HUD’s management of PII in a zero trust environment.