Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

Update and synchronize the SOP and the matching procedure. The updates should include notifications that provide issuers with unmatched loans adequate time to take corrective action to comply with the requirements of the MBS Guide to put $903 million to better use by ensuring that the appropriate agency insurance or guarantee is in place.

Ensure that all necessary information regarding terminated VA loans is included in the matching process.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

The Office of the Chief Information Officer (OCIO) estimated it would complete corrective action for this recommendation by August 2023. In May 2024, HUD OIG reviewed the OCIO progress in closing this recommendation as part of the FY 2024 FISMA evaluation. At that time, OCIO provided its draft SCRM Policy, draft SCRM Procedures, final SCRMES Charter, and a SCRM Technical Roadmap. Additionally, HUD provided agency-specific clauses. As of January 2025, HUD has not issued finalized SCRM policies and procedures.

Analysis

To fully address this recommendation, HUD must establish that it has defined and communicated policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements.

Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as they relate to systems and system components.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.