Audit: HUD Doesn’t Ensure Sensitive Data It Shares Is Secure

The Housing and Urban Development Department doesn’t have the right policies in place to protect sensitive citizen information the agency shares with the agencies, contractors or financial institutions it works with, according to a new audit. 

The Government Accountability Office reviewed HUD’s information security framework per a Congressional request made in a 2018 appropriations bill responding to two 2016 privacy incidents. The two incidents resulted in the exposure of hundreds of thousands of Americans’ personal information. 

HUD’s records contain the personally identifiable information of tens of millions of Americans, and the information at risk of exposure due to the agency’s security and privacy gaps includes anything from dates of birth to socioeconomic characteristics and Social Security numbers, according to the audit. Due to the nature of HUD’s work, the agency has to share data with a wide variety of private businesses, contractors and state and local agencies across the country.

The audit, published Monday, compared HUD’s privacy and security policies in place to protect this shared data to four leading practices identified in federal legislation and guidance from agencies including the Office of Management and Budget and the National Institute of Standards and Technology, and found them lacking. HUD did not score above a “minimally addressed” rating on any of the four categories.

“HUD’s weaknesses in the four practices were due largely to a lack of priority given to updating its policies,” the audit reads. “Until HUD implements the leading practices, it is unlikely that the department will be able to mitigate risks to its programs and program participants.”

The four leading practices GAO used to grade HUD are: requiring risk-based security and privacy controls, identifying and tracking corrective actions needed, monitoring progress implementing controls and independently assessing implementation of controls. GAO found HUD “minimally addressed” the first three standards, and did not address the fourth standard. 

GAO pointed straight to agency leadership as a reason for its poor performance in these areas, describing high turnover rates for top privacy and IT security officials. The audit also noted responsibility for HUD’s IT privacy program has shifted several times in recent years. 

HUD is working with incomplete data as well, GAO found. The agency couldn’t identify all the external entities that “process, store, or share sensitive information with its systems used to support housing, community investment, or mortgage loan programs,” according to the audit. HUD also doesn’t keep adequate track of the types of information it was sharing that required protection.

GAO outlined five recommendations HUD should implement to ameliorate privacy and security concerns. The recommendations ask the agency to ensure its policies incorporate risk-based privacy controls; require independent assessments of external entities with which it shares data to ensure information is protected; require tracking corrective measures needed by external entities to implement best practices; require monitoring of implementation progress; and require maintenance of a robust inventory detailing what information HUD shares and with whom. 

But in the brief letter sent back to GAO August 18 regarding the draft version of the audit, HUD Chief Information Officer David Chow did not indicate whether the agency agreed with the five recommendations. The letter included an attachment with comments clarifying two of GAO’s assertions in the audit, which show HUD is making some progress to improve privacy and security best practices. But it did not elaborate further in its comments on any plans it had to implement each of GAO’s five recommendations.

The first comment explained HUD is further into the process of implementing inspector general recommendations related to compliance with the Federal Information Security Management Act, or FISMA, than GAO noted in the draft version of the audit. HUD said it has now either implemented or submitted plans to do so for nearly half of the inspector general’s 30 recommendations, while GAO’s original analysis said it had only made progress on four of the recommendations. 

HUD also said this year it created a new privacy handbook, which in its audit GAO said had not been updated since 1995. The new handbook is undergoing an internal review. HUD updated its security policy handbook in 2020 as well, which GAO said was last refreshed in 2014.