The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD provided a corrective action plan for this recommendation in May 2025. The planned corrective action requires the agency to acquire a data management system, develop cataloging standards, and coordinate with the program offices stated in the recommendation to ensure data is handled in a secure manner. The procurement process has not yet begun, yet in their initial plans, HUD will require vendor support to develop this tool. The estimated completion date of this recommendation is September 2027.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-03 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC's lowered BLRV of 3.5 ug/dL.

Status

As of January 30, 2026, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has circulated for comment a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold.  These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).  The OLHCHH's estimated completion date is February 2026.

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

In September 2025, OCPO indicated that additional time was needed to implement the recommendation based on the implementation of Executive Order 14275, which initiates a governmentwide initiative to streamline federal procurement regulations and agency acquisition practices.  OCPO stated that the corrective action would be completed by March 31, 2026.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in defined IT acquisition process workflow procedures to increase efficiency and ensure coordination across program offices.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs.  Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, the Office of Multifamily Housing must provide evidence of an action plan or policy that includes procedures to ensure households living in multifamily units have a sufficient supply of safe drinking water.

Implementation of this recommendation will enable HUD to have sufficient oversight and control activities in place to ensure households living in multifamily housing have a sufficient supply of safe drinking water.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide.  HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution.  Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.