Some of the systems used by the Federal Housing Administration’s single-family insurance program are vulnerable to security breaches, an investigation by the agency’s watchdog uncovered recently.
Details on the nature of the “vulnerabilities” are limited at this point; the Office of the Inspector General for the Department of Housing and Urban Development chose not to share the full results of its investigation with the public.
The only mention is a short description of the investigation and its methods posted on the OIG website.
Specifically, the HUD-OIG stated in the brief recap of its investigation that it “reviewed the general and application controls over the FHA’s Single Family Insurance System and Single Family Insurance Claims Subsystem as part of the internal control assessments required for the fiscal year 2015 financial statement audit under the Chief Financial Officer’s Act of 1990.”
The OIG said that the objective of this review was to “assess the general and application controls over SFIS and Claims for compliance with HUD information technology policies and Federal information system security and financial management requirements.”
Normally, the OIG would publish the results of its investigation, as it has done in the past.
But in this case, the OIG did not publish a report based on its investigation. The reason given as part of the recap? “The OIG has determined that the contents of this audit report would not be appropriate for public disclosure and has therefore limited its distribution to those officials listed on the report distribution list.”
When asked for more information on the reasoning behind not disclosing its report, a representative from the OIG said that the results of the investigation revealed some possible security issues and that disclosing the nature of those issues could potentially lead to a security breach.
“On occasion, when we audit information systems we detect vulnerabilities,” a HUD-OIG spokesperson told HousingWire. “Knowledge of these vulnerabilities could be used to circumnavigate security protocols in place to safeguard the system. This is such an audit.”
According to the OIG spokesperson, the practice of not publicly disclosing “sensitive information of this nature” is allowed and conducted in accordance with general government accounting practices recognized by the Government Accounting Office.
The spokesperson also noted that the full audit was delivered to HUD with the OIG’s corresponding recommendations for remedying the issues.