The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Update the Conveyance, Assignment, and Assumption Agreement to require purchasers to report final property outcomes and identifying information including those of third-party purchasers when applicable.

Enhance data collection and processing controls to ensure consistency in reporting data.

Enhance existing demonstration guidance within the Conveyance, Assignment, and Assumption Agreement to provide further detail regarding documentation retention requirements.

Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.  

HUD OCIO should a) resolve the conflicts between its Inventory of Automated Systems (IAS) policy and web applications policy to clarify if web applications will be inventories in IAS, the web application Sharepoint site, or both; and b) implement the chosen resolution to this conflict to develop a consistent inventory of web applications (IG FISMA metric 1).

HUD OCIO should implement an automated governance, risk, and compliance tool to manage risk from all sources across the three tiers of the organization in a timely manner. This recommendation updates FY 2021 FISMA recommendation number 5 (IG FISMA metrics 5, 9, and 10).

HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

Require that the PLUS system for receiving, processing, and assigning applications tracks applications and captures application intake, screening, and status, including key dates; captures data on the type of underwriter used; includes a portal for receiving documents and communicating with lenders; and generates FHA loan numbers. This will allow HUD to identify, monitor, and address processing delays and issues on a continuous basis; evaluate its performance and processes; and manage future challenges.

Update policies and procedures to include methods that will be used when applications exceed underwriter capacity, align intake and screening processes, and explain when timeframes will be enforced, including in PLUS.

Issue an industry wide letter to reinforce how intake, screening, and enforcement of timeframes will be handled.

Update relevant policies and procedures for appraiser roster management so that they align with each other and with regulations and reflect HUD practice. At a minimum, the policies and procedures should clearly cover appraiser roster status, license expiration, disciplinary actions, removals, data accuracy, and documentation.

Maintain historical data for each appraiser record, including history on expiration dates, when appraisers are moved on or off the appraiser roster and when they are and are not allowed to be assigned to conduct appraisals.

Improve quality assurance processes by adding steps to verify that the appraiser roster is accurate and reliable over time through testing of its logic-based system controls and data fields.

Update Handbook 4000.1 to require servicers to share information regarding foreclosure moratoriums with borrowers.