PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Status

On May 7, 2024, the Office of Field Operations (OFO) stated that it met with the Real Estate Assessment Center (REAC) and Office of Lead Hazard Control and Healthy Homes (OLHCHH) on March 4 and April 23 and agreed that OFO and OLHCHH will review CDC data on counties with the highest prevalence of EBLLs in children for counties whose states that have reported their BLL data to CDC. OFO will review its EBLL tracker to determine reporting rates by the largest public housing authorities in those counties. OLHCHH will assign an analyst to summarize the most recently available prevalence rates based on selected states. Subsequently, OFO will scrutinize public housing authorities within those states to ascertain the reported cases.

The revised estimated completion date is February 28, 2025.

Analysis

To fully address this recommendation, OFO must provide evidence of meetings held and summaries of the research conducted. For example, what was the exchange with OLHCHH, did OFO coordinate with any other offices, and what research was conducted? OFO needs to research potential causes for the variances and determine what HUD could do to address them.

Alternatively, OFO must establish that there are no solutions within HUD’s control to address any identified causes.

Implementation of this recommendation will help ensure that EBLL cases are reported and recorded appropriately in the EBLL tracker.

Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC’s lowered BLRV of 3.5 ug/dL.

Status

On June 12, 2024, the Office of Lead Hazard Control and Healthy Homes informed HUD OIG that the draft Federal Register notice of its request for information from Lead Safe Housing Rule stakeholders and the general public on its proposal to adopt CDC's BLRV of 3.5 µg/dL as its EBLL under the rule has been circulated for OGC and preclearance review, which will be followed by Departmental clearance. OLHCHH plans on publishing the Federal Register notice by June 30, 2024, with a 60-day comment period. OLHCHH will provide the link and the link and the notice once it is published. OLHCHH will then review public comments in preparing to decide whether to change the rule's current level, and if so, to what level.

The Office of Lead Hazard Control and Healthy Homes estimated this will be completed by June 30, 2024.

Analysis

To fully address this recommendation, OLHCHH must provide evidence that it has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Alternatively, OLHCHH must establish that its research led it to determine that environmental interventions in cases of children with EBLLs between 3.5 and 4.9 µg/dL were ineffective in reducing the children’s blood lead levels and that lowering HUD’s EBLL regulation to 3.5 µg/dL is unnecessary.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

In May 2024, HUD OIG reviewed the Office of the Chief Information Officer’s progress is closing this recommendation as part of the annual FY 2024 FISMA evaluation. At that time, HUD provided additional evidence in the form of draft SCRM Policy, SCRM Procedures, SCRMES Charter, and a SCRM Technical Roadmap. Additionally, HUD provided agency-specific clauses. At the time, the guidance had not yet been finalized.

Analysis

To fully address this recommendation, HUD must establish that it has defined and communicated policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as it relates to systems and system components.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

The Office of the Chief Procurement Officer had agreed to an estimated completion date of March 2024. In April, The Office of the Chief Procurement Officer provided a status update and agreed to provide updated standard operating procedures once completed. However, no updated date for completion was provided.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in a defined IT acquisition process workflow standard operation procedure to ensure coordination across program offices.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to create rules for allowing only authorized software to be used through HUD's endpoint security software. Final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

Analysis

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

Analysis

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.