HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).

HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.

HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Status

As of November 13, 2024, the PIH Office of Field Operations (OFO) had completed its outreach data collection and identified 9 public housing authorities that had not completed the required EBLL reporting actions and that OFO informed the field office directors overseeing the appropriate PHAs that they had until November 6, 2024, to upload the proper information to the trackers. As of January 29, 2025, OFO field office directors and their staff were still updating and inputting EBLL cases and relevant documentation into the EBLL tracker due to delays in responses from PHAs. The estimated completion date is February 28, 2025.

Analysis

To fully address this recommendation, OFO must provide evidence that it coordinated with other HUD offices and identified the causes of the variances in the number of EBLL cases among states on the EBLL tracker. OFO must also demonstrate that it fully remedied the causes of the variances. Alternatively, OFO must provide an explanation sufficient to support a claim that it could not identify the causes of the variances or develop and implement solutions for problems it identified in its research.

Implementation of this recommendation will result in improved HUD data of EBLL cases of children living in public housing across the country. Accurate reporting of EBLL cases to HUD is essential so that HUD can ensure PHAs take effective environmental interventions that help prevent additional lead exposure.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

On January 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that the Office of the Federal Register published a notice, Modifying HUD’s Elevated Blood Lead Level Threshold for Children Under Age 6 Who Are Living in Certain HUD-Assisted Target Housing Covered by the Lead Safe Housing Rule. The notice announced that HUD is lowering its EBLL threshold from 5 to 3.5 µg/dL for a child under the age of 6, consistent with the CDC’s current blood lead reference value of 3.5 µg/dL, effective January 17, 2025. Next, OLHCHH will assist the Office of Community Planning and Development, the Office of Multifamily Housing Programs, and the Office of Public and Indian Housing to draft, circulate, and publish EBLL notices. The estimated completion date is June 30, 2025.

Analysis

To fully address this recommendation, OLHCHH must provide evidence that it has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered blood lead reference value of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with elevated blood lead levels receive effective environmental interventions.