The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD provided a corrective action plan for this recommendation in May 2025. The planned corrective action requires the agency to acquire a data management system, develop cataloging standards, and coordinate with the program offices stated in the recommendation to ensure data is handled in a secure manner. The procurement process has not yet begun, yet in their initial plans, HUD will require vendor support to develop this tool. The estimated completion date of this recommendation is September 2027.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-03 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Status

As of July 30, 2025, PIH’s Office of Field Operations (OFO) has coordinated with the Office of Lead Hazard Control and Healthy Homes (OLHCHH) on the EBLL data requested and obtained from PHAs.  OFO’s timeline to finish implementing the recommendation:

• Conduct and complete research and comparison by September 30, 2025.  OFO will need to ensure that any EBLL documentation received from PHAs is accurate and accounted for in its EBLL tracked.
• Complete final review and revisions by October 31, 2025.  OFO will need to contact PHAs for any necessary revisions or missing documentation.
• Stakeholder feedback and incorporation of edits by December 31, 2025.  Stakeholders include OFO leadership and PIH’s Real Estate Assessment Center (REAC).
• Final approvals and sign offs by OFO leadership by March 27, 2026.
• Final reporting and closure documentation by March 31, 2026.  OFO will develop guidance and training materials to ensure that OFO field offices are able to properly communicate EBLL guidance to PHAs.

The estimated completion date is March 31, 2026.  The original estimated completion date was June 30, 2024, and was revised to account for (1) delays in responses from various PHAs in providing current and accurate information on EBLLs to OFO and (2) stakeholder input and review from various offices across HUD.

Analysis

To fully address this recommendation, OFO must provide evidence of completion of each step in its timeline, such as research and comparisons conducted and communications with stakeholders in HUD and with PHAs.

Implementation of this recommendation will help ensure that EBLL cases are reported and recorded appropriately in the EBLL tracker.

Update HUD regulations, policies, and procedures, following the regulatory process required by the amended LSHR, in consideration of CDC’s lowered BLRV of 3.5 µg/dL.

Status

On January 17, 2025, HUD published a Federal Register notice to modify its EBLL threshold under its Lead Safe Housing Rule from to 5 to 3.5 micrograms of lead per deciliter of blood (µg/dL) for a child under the age of 6, consistent with the Centers for Disease Control and Prevention's current blood lead reference value of 3.5 µg/dL.  

As of July 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has drafted a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold.  These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).

OLHCHH’s timeline to finish implementing the recommendation:

• The notice will enter the clearance process by the end of August.
• CPD, MF, PIH, and OLHCHH will publish the final joint notice by September 30, 2025.

The estimated completion date for these actions is September 30, 2025.  The original estimated completion date was June 30, 2024, and was revised to account for the time required to (1) receive and review public comments on HUD’s proposed change to the EBLL threshold and (2) coordinate the implementation of the EBLL threshold change across the impacted HUD offices.
  

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.
 

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

In April 2025, during the FY 2025 FISMA evaluation, Office of the Chief Information Officer (OCIO) provided its finalized SCRM Policy, SCRM Procedures, SCRMES Charter, SCRM Technical Roadmap, and agency-specific clauses. While this addressed the requirements for this recommendation by defining its policies and procedures, HUD needs to communicate and post the policies on its internal website.  The OCIO estimated it would complete corrective action for this recommendation by August 2025.

Analysis

Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as they relate to systems and system components.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

In November 2024, OCPO submitted an IT Acquisition Workflow Report and a document outlining responsibilities as evidence for closure. Although these documents clarified existing roles and documented one sample workflow, they did not propose or implement revised IT-acquisition policies or procedures producing measurable improvements. As of July 2025, OIG received no further information that identifies improvements in the IT acquisition process.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in defined IT acquisition process workflow procedures to increase efficiency and ensure coordination across program offices.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software.  However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.