Revise HUD’s Controlled Unclassified Information Policy to include the anti-gag provision.

Revise HUD’s Controlled Unclassified Information Policy to state that (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Designate a Senior Agency Official for Records Management at the Assistant Secretary level or its equivalent.

Update and issue agency formal records policy, including detailed procedures and requirements for completing and maintaining program office and agencywide inventories of systems, records, and PII.

Update and obtain final NARA approval of all HUD records retention schedules, including the Capstone email schedule, to comply with Federal requirements, including OMB M-19-21.

Develop and approve an enterprise strategy to meet all M-19-21 electronic transition requirements.

Issue a formal policy and requirements for managing CUI.

Establish and disseminate a policy on safeguarding or prohibiting the transportation of PII records out of the office for telework purposes.

Complete the development of performance measures and establish a formal records evaluation process to measure the effectiveness and progress of the records management program.

Standardize processes and duties for all RMLOs.

Conduct a staffing resource assessment for the HUD records program and identify any skills gaps or resource needs.

Ensure the privacy program is staffed with experienced personnel (such as a Chief Privacy Officer) to manage the operational aspects of the program.

Issue a notice at the Secretary level delegating and clarifying the authority and responsibilities of the SAOP and Privacy Office

A. Document the roles and specific responsibilities of all positions assigned privacy responsibilities. B. Communicate these responsibilities on a recurring basis, at least annually, to individuals holding these positions.

Implement thorough human capital processes to ensure execution of the HUD privacy program and all its requirements

Finalize and approve the draft privacy program strategic plan

Ensure the privacy program is integrated with the enterprise risk program and that privacy risks are incorporated into the agency risk management process