The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement the requirements of HUD’s current Debt Collection Handbook, to include (1) assigning a program office manager, (2) developing and implementing debt collection standard operating procedures, (3) designating program action officials, and (4) ensuring that program action officials are trained and perform debt collection duties in a timely manner in accordance with the Debt Collection Handbook; HUD Handbook 2000.06, REV-4, Audits Management System; and other pertinent guidance and policies to ensure the accurate reporting of receivables in the general ledger.

Review all executed repayment agreements in HUD’s Tenant Rental Assistance Certification System (TRACS) to determine which repayment agreements have not been fully repaid and represent an amount owed to HUD and work with OCFO to record these receivables.

Include a field in TRACS to identify which repayment agreements represent an amount owed to HUD and implement controls to ensure the accuracy of the listing in TRACS.

Develop and implement controls to track and enforce repayments owed to HUD to ensure that owners are not delinquent on their repayment agreements.

Adequately notify homeowners that, due to COVID-19, all FHA refund applications and supporting documents should be sent electronically to avoid delay in processing. This process should include (1) developing and expediting implementation of correspondence sent to homeowners with the application, (2) a notice of operational changes on HUD’s FHA refunds websites, (3) ensuring that HUD’s Does HUD Owe You a Refund website is updated to the most recent FHA Homeowners Fact Sheet, (4) an updated voice message from the call center including an accurate email, and (5) developing an updated script for call center agents for the initial contact with the homeowner, follow up, and contact with homeowners who already submitted their application by mail.

Conduct a privacy impact assessment for accepting homeowner FHA refund applications and supporting documentation that contain PII electronically to identify potential risks and develop and implement plans to mitigate those risks.

Develop and implement written policies and procedures for SFIOD to quickly respond to emergency situations when staff cannot return to the office. Procedures should include steps to quickly notify homeowners of any changes made to the FHA refund process.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.