HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

Use the fraud risk inventory to enhance program-specific fraud risk assessments for the PBRA program.

Require lenders to provide evidence of sufficient flood insurance or execute indemnification agreements for the 21 loans in our statistical sample that did not have sufficient flood insurance at the time of our audit to put nearly $1.1 million to better use. (See appendix A.)

Develop a control to detect loans that did not maintain the required flood insurance to put $1.5 billion to better use by avoiding potential future costs to the FHA insurance fund from inadequately insured properties.

Corrective Action Taken

In November 2022, FHA published the Acceptance of Private Flood Insurance for FHA-Insured Mortgages final rule (Docket No. FR-6084-F-02) in the Federal Register and issued Mortgagee Letter 2022-18, Acceptance of Private Flood Insurance for FHA-Insured Mortgages (ML 2022-18). These policy changes not only strengthened Single Family’s Mortgagee requirements regarding flood insurance, but they also introduced the ability for borrowers and Mortgagees to purchase private flood insurance. In January 2023, the sections in ML 2022-18 that pertain to HUD’s forward mortgage programs were superseded by the FHA Single Family Housing Policy Handbook (Handbook 4000.1), adding a requirement that the Mortgagee review all FHA-insured properties annually to determine if the property is located within a Special Flood Hazard Area (SFHA). For properties located within a SFHA, the Mortgagee must ensure flood insurance is in force for the life of the mortgage and that the property has sufficient flood insurance coverage. To ensure compliance with the policy requirements, the Mortgagee must include updated flood insurance information for properties where flood insurance is required in the Servicing and Claims File. In addition, Handbook 4000.1 includes flood insurance servicing policy updates. HUD submitted a revised management decision reflecting this action on June 22, 2023.

Consult with the Office of General Counsel to review the language in the statutes, regulations, and handbooks and if warranted, make adjustments to the forward mortgage handbook to ensure consistency with the statute.

Consult with the Office of General Counsel to review the language in the statutes, regulations, and handbooks and if warranted, make adjustments to the HECM handbook to ensure consistency with the statute and regulation.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

The Office of the Chief Information Officer (OCIO) estimated it would complete corrective action for this recommendation by August 2023. In May 2024, HUD OIG reviewed the OCIO progress in closing this recommendation as part of the FY 2024 FISMA evaluation. At that time, OCIO provided its draft SCRM Policy, draft SCRM Procedures, final SCRMES Charter, and a SCRM Technical Roadmap. Additionally, HUD provided agency-specific clauses. As of January 2025, HUD has not issued finalized SCRM policies and procedures.

Analysis

To fully address this recommendation, HUD must establish that it has defined and communicated policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements.

Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as they relate to systems and system components.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.