HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the Director of Disaster Recovery collect and record the number of days that it or other entities take to complete each milestone in the grant process.

We recommend that the Director of Disaster Recovery establish timing benchmarks for the milestones at each significant step in the allocation and award process based on actual data accumulated for the various grants.

We recommend that the Director of Disaster Recovery take steps to ensure that the milestone point of allocation is formally defined and documented, to allow for accurate tracking of compliance with requirements.

We recommend that the Deputy Assistant Secretary instruct PRDOH to implement a process to regularly conduct fraud risk assessments and determine a fraud risk profile. The fraud risk profile should include key findings and conclusions from the risk assessment, including the analysis of the types of fraud risks, their perceived likelihood and impact, risk tolerance, and the prioritization of risks.

We recommend that the Deputy Assistant Secretary instruct PRDOH to improve fraud awareness initiatives, such as participating in organized antifraud conferences, reviewing the OIG’s Special Fraud Alerts, Bulletins, and Other Guidance, and attending fraud risk training tailored to the program’s fraud risk profile (including subrecipients).

We recommend that the Deputy Assistant Secretary for Grant Programs evaluate PRDOH’s risk exposure and tolerance as part of HUD’s program-specific fraud risk assessment for disaster grant programs.

We recommend that the Deputy Assistant Secretary for Grant Programs coordinate with HUD’s Chief Risk Officer to (1) provide training and technical assistance to PRDOH with a focus on the design, implementation, and performance of fraud risk assessments, and (2) establish a fraud risk management framework for the organization.

We recommend that the Deputy Assistant Secretary for Grant Programs assess whether grantees have mature fraud risk management programs within the disaster recovery and mitigation programs.