The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Develop a departmentwide human capital plan or evaluate and revise existing plans to guide the recruitment, retention, and skill development of staff involved in IT acquisitions. The plan should include related metrics to measure plan implementation and effectiveness.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

In September 2025, OCPO indicated that additional time was needed to implement the recommendation based on the implementation of Executive Order 14275, which initiates a governmentwide initiative to streamline federal procurement regulations and agency acquisition practices.  OCPO stated that the corrective action would be completed by March 31, 2026.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in defined IT acquisition process workflow procedures to increase efficiency and ensure coordination across program offices.

Establish a centralized acquisition tracking system that allows for input and monitoring by all offices involved with the IT acquisition process by: a. Developing a plan with detailed implementation milestones; b. Obtaining appropriate approvals and funding; and c. Implementing a centralized acquisition tracking system, based on the implementation plan and approvals from 4a and 4b.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs.  Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, the Office of Multifamily Housing must provide evidence of an action plan or policy that includes procedures to ensure households living in multifamily units have a sufficient supply of safe drinking water.

Implementation of this recommendation will enable HUD to have sufficient oversight and control activities in place to ensure households living in multifamily housing have a sufficient supply of safe drinking water.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide.  HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution.  Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.