Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External Entities
GAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-4456
harriscc@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Department of Housing and Urban Development collects huge amounts of sensitive personal information for its housing, community investment, and mortgage loan programs. HUD often shares this information with affiliated agencies; contractors; and state, local, and tribal groups.
HUD isn't taking enough action to protect information exchanged with others. The agency expects external entities to have security and privacy controls for processing, storing, or sharing information outside of HUD systems but hasn't put policies in place to ensure that they protect data.
Our recommendations address the issue to better protect sensitive shared data.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Version:
Contact:
(202) 512-4456
harriscc@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The Department of Housing and Urban Development (HUD) is not effectively protecting sensitive information exchanged with external entities. Of four leading practices for such oversight, HUD did not address one practice and only minimally addressed the other three in its security and privacy policies and procedures (see table). For example, HUD minimally addressed the first leading practice because its policy required federal agencies and contractors with which it exchanges information to implement risk-based security controls; however, the department did not, among other things, establish a process or mechanism to ensure all external entities complied with security and privacy requirements when processing, storing, or sharing information outside of HUD systems. HUD's weaknesses in the four practices were due largely to a lack of priority given to updating its policies. Until HUD implements the leading practices, it is unlikely that the department will be able to mitigate risks to its programs and program participants.
Extent to Which the Department of Housing and Urban Development (HUD) Policies and Procedures Address Leading Practices for Overseeing the Protection of Sensitive Information
| Practice | Rating |
|---|---|
| Require risk-based security and privacy controls | ◔ |
| Independently assess implementation of controls | ◌ |
| Identify and track corrective actions needed | ◔ |
| Monitor progress implementing controls | ◔ |
Legend: ◔=Minimally addressed—leading practice was addressed to a limited extent; ◌=Not addressed—leading practice was not addressed.
Source: GAO analysis of HUD data. | GAO-20-431
HUD was not fully able to identify external entities that process, store, or share sensitive information with its systems used to support housing, community investment, or mortgage loan programs. HUD's data were incomplete and did not provide reliable information about external entities with access to sensitive information from these systems. For example, GAO identified additional external entities in system documentation beyond what HUD reported for 23 of 32 systems. HUD was further limited in its ability to protect sensitive information because it did not track the types of personally identifiable information or other sensitive information shared with external entities that required protection. This occurred, in part, because the department did not have a comprehensive inventory of systems, to include information on external entities. Its policies and procedures also focused primarily on security and privacy for internal systems and lacked specificity about how to ensure that all types of external entities protected information collected, processed, or shared with the department. Until HUD develops sufficient, reliable information about external entities with which program information is shared and the extent to which each entity has access to personally identifiable information and other sensitive information, the department will be limited in its ability to safeguard information about its housing, community investment, and mortgage loan programs.
Why GAO Did This Study
To administer housing, community investment, and mortgage loan programs, HUD collects a vast amount of sensitive personal information and shares it with external entities, including federal agencies, contractors, and state, local, and tribal organizations. In 2016, HUD reported two incidents that compromised sensitive information.
House Report 115-237, referenced by the Consolidated Appropriations Act, 2018, included a provision for GAO to evaluate HUD's information security framework for protecting information within these programs. The objectives were to (1) assess the effectiveness of HUD's policies and procedures for overseeing the security and privacy of sensitive information exchanged with external entities; and (2) determine the extent to which HUD was able to identify external entities that process, store, and share sensitive information with applicable systems. GAO compared HUD's policies and practices for systems' security and privacy to four leading practices identified in federal legislation and guidance. GAO also assessed HUD's practices for identifying external entities with access to sensitive information.
What GAO Recommends
GAO is making five recommendations to HUD to fully implement the four leading practices and fully identify the extent to which sensitive information is shared with external entities.
HUD did not agree or disagree with the recommendations, but described actions intended to address them.
For more information, contact Carol C. Harris at (202) 512-4456 or harriscc@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require the implementation of risk-based security and privacy controls for external entities that process, store, or share sensitive information with HUD. (Recommendation 1)
Agency Affected: Department of Housing and Urban Development
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require independent assessments of external entities that process, store, or share sensitive information with HUD to ensure controls are implemented. (Recommendation 2)
Agency Affected: Department of Housing and Urban Development
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require identifying and tracking corrective action needed by external entities that process, store, or share sensitive information with HUD. (Recommendation 3)
Agency Affected: Department of Housing and Urban Development
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to review and revise department-level security and privacy policies to ensure that they require monitoring of progress in implementing controls/corrective actions by external entities that process, store, or share sensitive information with HUD. (Recommendation 4)
Agency Affected: Department of Housing and Urban Development
Status: Open
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Housing and Urban Development should direct the Chief Information Officer, Senior Agency Official for Privacy, and Chief Privacy Officer to develop and maintain a comprehensive systems inventory that incorporates sufficient, reliable information about the external entities with which HUD program information is shared and the extent to which each external entity has access to PII and other sensitive information. (Recommendation 5)
Agency Affected: Department of Housing and Urban Development
Explore the full database of GAO's Open Recommendations
»
Oct 9, 2020
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Feb 11, 2020
-
Office of Congressional Workplace Rights:
Weaknesses in Cybersecurity Management and Oversight Need to Be AddressedGAO-20-199: Published: Feb 11, 2020. Publicly Released: Feb 11, 2020.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
