HUD OCIO should report at least 80 percent of its government-furnished equipment through the DHS CDM program (IG FISMA metric 2).
2023-OE-0001 | Enero 29, 2024
HUD FY 2023 Federal Information Security Modernization Act (FISMA) Evaluation Report
Chief Information Officer
- Status2023-OE-0001-02OpenClosed
- Status2023-OE-0001-03OpenClosed
HUD OCIO should implement a process to consistently update and maintain its inventory of software assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized software assets from the HUD network (IG FISMA metrics 2, 20, and 21).
- Status2023-OE-0001-04OpenClosed
HUD OCIO should update its software inventory policies and procedures to account for critical software as defined by EO 14028 (IG FISMA metrics 3 and 21).
- Status2023-OE-0001-05OpenClosed
HUD OCIO should implement policies and procedures to maintain inventories of critical software and software licenses, critical software platforms, and all software installed on critical software platforms (both critical software and noncritical software) and use the inventory of critical software platforms and all software installed on them to ensure that only supported versions of software are used on those critical software platforms (IG FISMA metrics 3 and 21).
- Status2023-OE-0001-06OpenClosed
HUD OCIO should in coordination with the Chief Risk Officer (CRO), document cybersecurity risk management roles and responsibilities in a consolidated list and; define procedures to hold personnel accountable to their assigned roles in the consolidated list (IG FISMA metric 7)
- Status2023-OE-0001-07OpenClosed
HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).
- Status2023-OE-0001-10OpenClosed
HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).
- Status2023-OE-0001-11OpenClosed
HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).
- Status2023-OE-0001-12OpenClosed
HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.
- Status2023-OE-0001-13OpenClosed
HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).
- Status2023-OE-0001-14OpenClosed
HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).
- Status2023-OE-0001-15OpenClosed
HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).
- Status2023-OE-0001-16OpenClosed
HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).
- Status2023-OE-0001-17OpenClosed
HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).
- Status2023-OE-0001-18OpenClosed
HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).
- Status2023-OE-0001-19OpenClosed
HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).
- Status2023-OE-0001-21OpenClosed
HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).
- Status2023-OE-0001-22OpenClosed
HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).
- Status2023-OE-0001-23OpenClosed
HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).
2024-IG-0001 | Enero 23, 2024
Management Alert: Action Is Needed From HUD Leadership To Resolve Systemic Challenges With Improper Payments
Deputy Secretary
- Status2024-IG-0001-001-AOpenClosedPrioridadPriority
We believe these open recommendations, if implemented, will have the greatest impact on helping HUD achieve its mission to create strong, sustainable, inclusive communities and quality affordable homes for all.
We recommend that the Deputy Secretary Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance.
Status
In response to the Management Alert, the Deputy Secretary stated that she would provide a plan in 30 days. On April 10, 2024, the Chief Financial Officer, Assistant Secretary for Housing, and Principal Deputy Assistant Secretary for Public and Indian Housing (PIH) stated their respective executives have been working together to develop a plan to accelerate HUD’s ability to produce statistically valid estimates. With respect to project-based rental assistance (PBRA), HUD plans to use ongoing data collection for fiscal year (FY) 2023 tier 1 and tier 2 payments to develop a statistical estimate in FY 2024. With respect to PIH-TBRA, in lieu of pursuing an estimate for the FY 2024 reporting cycle, PIH will focus on “its existing efforts to enhance PIH [IT] systems”, which HUD considers to be a more strategic use of resources. It is not clear from HUD’s response what PIH will do differently than it already had planned prior to the management alert as HUD did not provide a detailed plan or timeline for OIG review. As of November 20, 2024, a detailed plan or timeline has not been provided.
Analysis
As of November 20, 2024, HUD has not provided a detailed plan or timeline for OIG review. It remains unclear what testing was completed for PBRA in 2024, how HUD will produce a complete estimate in the PBRA programs in future years, and when it will be able to produce an estimate for PIH-TBRA.
For HUD to close this recommendation, it must finish testing the full life cycle of payments in these programs and publicly report estimates of the improper payments in them. Merely producing a plan with future action target dates is not sufficient to meet the spirit of this recommendation.
PBRA and PIH-TBRA are the two largest program expenditures in HUD's portfolio, totaling $45.3 billion in FY 23, or 67.5 percent of HUD's total expenditures. HUD has been challenged with developing a compliant sampling methodology that can test the full payment cycle and that can be executed within the required timeframes. To fully address this recommendation, the sampling methodology should test the full payment cycle, and the associated sample testing and statistical estimation must be completed in time to be included in the Annual Financial Report.
Implementation of this recommendation will result in HUD better safeguarding taxpayer dollars and decrease improper payments.