Provide adequate documentation to support its administrative and project delivery cost expenditures or repay the program $1,388,545 from non-Federal funds.

Provide supporting documentation to show whether the outstanding liability of $324,478 is correctly classified as an NSP2 liability. If not, HUD should ensure that NHSLA corrects its NSP2 cost reimbursement summary for the 12 months ending June 30, 2018, to reclassify the expenses to a non-NSP2 program. Such funds would be considered funds to be put to better use.

Develop and implement a HUD-approved cost allocation plan to properly account for indirect program costs.

Establish written payroll policies and procedures in accordance with program requirements for the tracking, recording, and maintenance of direct costs to ensure that time distribution records are in place to support the allocation of charges.

Obtain training to ensure that it understands NSP2 regulations and requirements related to payroll allocation for its administrative and project delivery costs and program income calculation methodology to ensure it properly computes the amount it is allowed to charge for administrative costs.

Support the reasonableness of the South Gate contract or repay NSP2 $856,692 from non-Federal funds.

Develop and implement additional procedures and controls to ensure that HUD procurement requirements are followed.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to create rules for allowing only authorized software to be used through HUD's endpoint security software. Final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and implement as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

Analysis

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

In April 2024, the Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, had completed 9 of 15 systems within the first phase, and will be delayed in completing the final system until the last quarter of FY 2024.

Analysis

Implementation of this recommendation will result in an enterprise-wide identity and access management solution which addresses the requirements in Executive Order 14028, titled “Improving the Nation’s Cybersecurity”. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement its procurement controls to ensure that it is able to locate and maintain the complete procurement documents for at least 3 years after the closeout of NSP1 and NSP3 in compliance with its own procedures and HUD regulations.

Provide the required documents to support $161,131 in NSP1 and $109,525 in NSP3 funds for expenses for acquisition, rehabilitation, and administration. If the City cannot provide the required documents, it should repay the U.S. Treasury from non-Federal funds.

Repay the U.S. Treasury from non-Federal funds for the $1,550 overpaid to acquire a foreclosed NSP3 property.

Obtain technical assistance from HUD to ensure that it is able to manage the programs and comply with program regulations before processing future expenses related to NSP1 and NSP3 projects and activities.