HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.

HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Status

As of July 30, 2025, PIH’s Office of Field Operations (OFO) has coordinated with the Office of Lead Hazard Control and Healthy Homes (OLHCHH) on the EBLL data requested and obtained from PHAs.  OFO’s timeline to finish implementing the recommendation:

• Conduct and complete research and comparison by September 30, 2025.  OFO will need to ensure that any EBLL documentation received from PHAs is accurate and accounted for in its EBLL tracked.
• Complete final review and revisions by October 31, 2025.  OFO will need to contact PHAs for any necessary revisions or missing documentation.
• Stakeholder feedback and incorporation of edits by December 31, 2025.  Stakeholders include OFO leadership and PIH’s Real Estate Assessment Center (REAC).
• Final approvals and sign offs by OFO leadership by March 27, 2026.
• Final reporting and closure documentation by March 31, 2026.  OFO will develop guidance and training materials to ensure that OFO field offices are able to properly communicate EBLL guidance to PHAs.

The estimated completion date is March 31, 2026.  The original estimated completion date was June 30, 2024, and was revised to account for (1) delays in responses from various PHAs in providing current and accurate information on EBLLs to OFO and (2) stakeholder input and review from various offices across HUD.

Analysis

To fully address this recommendation, OFO must provide evidence of completion of each step in its timeline, such as research and comparisons conducted and communications with stakeholders in HUD and with PHAs.

Implementation of this recommendation will help ensure that EBLL cases are reported and recorded appropriately in the EBLL tracker.

Update HUD regulations, policies, and procedures, following the regulatory process required by the amended LSHR, in consideration of CDC’s lowered BLRV of 3.5 µg/dL.

Status

On January 17, 2025, HUD published a Federal Register notice to modify its EBLL threshold under its Lead Safe Housing Rule from to 5 to 3.5 micrograms of lead per deciliter of blood (µg/dL) for a child under the age of 6, consistent with the Centers for Disease Control and Prevention's current blood lead reference value of 3.5 µg/dL.  

As of July 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has drafted a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold.  These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).

OLHCHH’s timeline to finish implementing the recommendation:

• The notice will enter the clearance process by the end of August.
• CPD, MF, PIH, and OLHCHH will publish the final joint notice by September 30, 2025.

The estimated completion date for these actions is September 30, 2025.  The original estimated completion date was June 30, 2024, and was revised to account for the time required to (1) receive and review public comments on HUD’s proposed change to the EBLL threshold and (2) coordinate the implementation of the EBLL threshold change across the impacted HUD offices.
  

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.
 

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.