IG faults HUD for stimulus law reporting problems

HUD lapsed on data security; agency blames "aggressive schedule"

• By Alice Lipowicz
• Oct 08, 2009

The Housing and Urban Development Department is months behind schedule and falls short on privacy and security as it tracks its spending under the economic stimulus law, according to a new report from HUD's Office of the Inspector General.

HUD signed a contract in May to develop and manage its $13.6 billion spending provided by the law to fulfill the Obama administration’s transparency goals.

However, HUD did not follow federal policies in developing a risk management strategy and system security plans for the new computer system, Hanh Do, director of the information system audit division for the IG's office, wrote in the Sept. 30 audit report.

“HUD did not complete required security and privacy documents before or during the early phase of system development," Do wrote. “As a result, HUD officials could not ensure that all security controls were in place, implemented correctly, and operating as intended.”

The report recommends that HUD ensure that system's owners develop a system security plan, privacy impact assessment and risk assessment early in the development process.

The department agreed with most of the recommendations and said that an “aggressive schedule” for the stimulus reporting contributed to the problems, Lynn Allen, general deputy chief information officer for HUD, wrote in a letter attached to the report. She wrote that the reporting system was certified and accredited 30 days after it became operational, and he said a privacy impact assessment was performed at the recommendation of the inspector general.

In addition, the report finds fault with HUD’s late filing of required reports on compliance with environmental laws. Under the stimulus law, agencies were required to file reports of compliance with the National Environmental Policy Act in April, June and October.

HUD had problems meeting the first two deadlines and did not provide accurate and timely data to the public on $2.9 billion worth of projects, the report said.

HUD officials said they could not meet the reporting requirements for April because they did not have a departmentwide system in place to collect the data. The stimulus reporting system was created in May and became operational on June 30. Also, some of the data collection was from a wide variety of sources, complicating the project: for example, the Public Housing Capital Fund needs to collect environmental compliance data from more than 3,000 sources.

Also, HUD officials said there were delays in training employees to input environmental data into the reporting system. Training classes for the environmental reporting did not begin until late August, though the first reports were due in April.

HUD has previously been criticized for security problems.  In August, the Government Accountability Office issued a report criticizing HUD's IT management, saying it did not fully comply with federal guidelines and best practices. 

Reader comments