Work with the Deputy Chief Financial Officer to develop and design a process to ensure that each attribute evaluated during the PIIA risk assessment is evaluated at all levels of the full payment cycle.

Provide support for the reimbursement to its housing program of $107,036 from non-Federal funds if justification cannot be provided to support that the overhead and profit amounts paid to the contractors were reasonable.

Perform a review of the remaining 453 contracts and any additional contracts issued under the old invitations to bid to ensure that overhead and profit amounts charged by contractors were reasonable. The State should either provide justification or support for the reimbursements to its housing program from non-Federal funds for the unsupported amounts.

Update policies and procedures to ensure that a cost reasonableness assessment is performed on all cost elements, including the overhead and profit percentages charged by contractors for future contracts.

Develop and implement procedures to ensure the execution of newly developed policies that require contractors that work on multiple programs to provide adequate support to distinguish the proper amount of time and cost spent on each program. The State should also be required to provide procedures that implement the policy changes.

Train staff to ensure that expenditures, including payments made to contractors, are classified to the proper project activity in the DRGR system and provide support for training conducted.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

The Office of the Chief Information Officer (OCIO) estimated it would complete corrective action for this recommendation by August 2023. In May 2024, HUD OIG reviewed the OCIO progress in closing this recommendation as part of the FY 2024 FISMA evaluation. At that time, OCIO provided its draft SCRM Policy, draft SCRM Procedures, final SCRMES Charter, and a SCRM Technical Roadmap. Additionally, HUD provided agency-specific clauses. As of January 2025, HUD has not issued finalized SCRM policies and procedures.

Analysis

To fully address this recommendation, HUD must establish that it has defined and communicated policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements.

Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as they relate to systems and system components.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.