HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC's lowered BLRV of 3.5 ug/dL.

Status

On January 17, 2025, HUD published a Federal Register notice to modify its EBLL threshold under its Lead Safe Housing Rule from to 5 to 3.5 micrograms of lead per deciliter of blood (µg/dL) for a child under the age of 6, consistent with the Centers for Disease Control and Prevention's current blood lead reference value of 3.5 µg/dL.

As of July 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has drafted a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold. These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).

OLHCHH’s timeline to finish implementing the recommendation:

• The notice will enter the clearance process by the end of August.
• CPD, MF, PIH, and OLHCHH will publish the final joint notice by September 30, 2025.

The estimated completion date for these actions is September 30, 2025. The original estimated completion date was June 30, 2024, and was revised to account for the time required to (1) receive and review public comments on HUD’s proposed change to the EBLL threshold and (2) coordinate the implementation of the EBLL threshold change across the impacted HUD offices.

---

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).