We evaluated the U.S. Department of Housing and Urban Development (HUD) practices for identifying and protecting personally identifiable information (PII). The evaluation assessed HUD’s current capabilities to properly manage and protect PII and to properly maintain paper and electronic PII records. This evaluation was conducted in conjunction with the fiscal year (FY) 2019 Federal Information Security Act of 2014 (FISMA) evaluation 2019-OE-0002.
We determined that HUD had taken positive steps to improve its records management practices. It had initiated modernization efforts to transition paper-based processes to electronic processes, begun addressing and closing OIG privacy-related recommendations that had been open for several years, and developed a formal communications plan to increase program awareness. The records officer had increased and improved training for records specialists in program offices and was directing an extensive records inventory project. However, HUD had not designated a Senior Agency Official for Records Management (SAORM) at the Assistant Secretary level as required by OMB, and was not meeting certain Federal requirements. HUD was not able to identify and inventory all PII, or search for or track PII. Recordkeeping practices and retention schedules were outdated, and HUD had not fully integrated the records program with risk management and information technology programs.
We provide nine new recommendations designed to address HUD’s most significant legal and regulatory obligations, along with other critical challenges laid out in this report.
Recommendations
Office of Administration
- Status2019-OE-0002a-01OpenClosedClosed on Agosto 27, 2021
Designate a Senior Agency Official for Records Management at the Assistant Secretary level or its equivalent.
- Status2019-OE-0002a-02OpenClosedClosed on Agosto 27, 2021
Update and issue agency formal records policy, including detailed procedures and requirements for completing and maintaining program office and agencywide inventories of systems, records, and PII.
- Status2019-OE-0002a-03OpenClosed
Update and obtain final NARA approval of all HUD records retention schedules, including the Capstone email schedule, to comply with Federal requirements, including OMB M-19-21.
- Status2019-OE-0002a-04OpenClosed
Develop and approve an enterprise strategy to meet all M-19-21 electronic transition requirements.
- Status2019-OE-0002a-05OpenClosed
Issue a formal policy and requirements for managing CUI.
- Status2019-OE-0002a-06OpenClosedClosed on Agosto 27, 2021
Establish and disseminate a policy on safeguarding or prohibiting the transportation of PII records out of the office for telework purposes.
- Status2019-OE-0002a-07OpenClosed
Complete the development of performance measures and establish a formal records evaluation process to measure the effectiveness and progress of the records management program.
- Status2019-OE-0002a-08OpenClosedClosed on Agosto 27, 2021
Standardize processes and duties for all RMLOs.
- Status2019-OE-0002a-09OpenClosedClosed on Agosto 27, 2021
Conduct a staffing resource assessment for the HUD records program and identify any skills gaps or resource needs.