$7.7B
IG warns HUD about leaky records
The Department of Housing and Urban Development is failing to safeguard and manage more than 1 billion records containing personally identifiable information, according to a management alert from the agency’s internal watchdog.
A management alert bulletin issued Jan. 13 by HUD’s Office of Inspector General warns that the department “is unable to identify, categorize, and adequately secure all of its electronic and paper records that contain personally identifiable information.”
An accompanying memorandum, circulated to HUD officials in December, highlights several risk factors. For instance, HUD maintains legacy systems that lack basic capabilities for processing electronic transactions, which leads to a reliance on paper processing. A survey of HUD officials found that many are concerned about the volume of paper records held by the agency. Those records include mortgage binders filled with personal and financial information.
In addition, the agency lags behind on complying with governmentwide efforts to convert paper documents to electronic records and in implementing a data classification process to identify and tag controlled unclassified information.
In the December memorandum, OIG officials said a formal report was forthcoming, but in the course of their assessment, they “encountered specific records management and privacy issues that pose a serious threat to sensitive information that we believed important to raise now rather than wait for the conclusion of our broader evaluation.”
Auditors discovered that HUD lacks an agencywide records inventory, and eight of 25 offices surveyed had an inventory of electronic records that contained personally identifiable
information. Furthermore, HUD systems don’t allow for any kind of enterprisewise search to locate sensitive information.
“As a federal agency housing such an extensive amount of sensitive data, HUD must prioritize its capability to properly identify and protect this information,” the OIG alert states. “Failure to do so places both the agency and private citizens at risk.”
The alert comes at a time when some members of Congress are raising
concerns about reports that HUD is using facial recognition software to provide security in housing facilities subsidized by the agency. A group of Democratic lawmakers from the House and Senate sent a letter to HUD Secretary Ben Carson in December asking about the use of such technology in federally subsidized housing and seeking information on the agency’s rules for collecting and retaining biometric data.
— Adam Mazmanian
is the eight-year ceiling on the services portion of the Navy’s NGEN contract recompete, which was awarded to Leidos
CISA issues alert about NSA- discovered Windows 10 flaw
The National Security Agency informed Microsoft about the existence of a previously unidentified flaw in the Windows 10 operating system that could allow a man-in-the- middle attacker to spoof public-key infrastructure certificates of trusted individuals.
Microsoft
moved quickly
to issue patches
during its regular Patch Tuesday updates, and the Cybersecurity and Infrastructure Security Agency issued an emergency directive that day giving federal agencies 10 business days to ensure the patches are applied to “all affected endpoints on agency information systems” as well as new or existing disabled endpoints.
“Agencies should prioritize patching mission-critical systems and High Value Assets (HVAs), internet- accessible systems, and servers,” the directive states. “Agencies should then apply the patch to the remaining endpoints.”
Public-key infrastructure is used to authenticate users and securely associate cryptographic keys
with users and devices. Attackers could use the vulnerability to trick users into installing “updates” from trusted parties that are actually malware.
“It bypasses the trust store, allowing unwanted or malicious software to masquerade as authentically signed by a trusted or trust- worthy organization, which may deceive users or thwart malware detection methods like antivirus,” the
CISA directive states.
While cybersecurity experts are still
debating the severity of the flaw, the notification (and public confirmation) from NSA is rare and indicates that the agency views the potential for harm as serious.
“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the agency stated in a cybersecurity directive.
— Derek B. Johnson
January/February 2020 FCW.COM 29