Update HUD Handbook 1900.40, Do Not Pay policy, to clearly define the responsibilities for all parties and align it with current laws, processes, and procedures. This should include defining responsibilities for preaward and prepayment verification, and developing a process and governance structure to ensure that preaward and prepayment verification are consistently performed across HUD’s programs.

Perform a complete agency-wide fraud risk assessment (which incorporates the fraud risk assessments performed at the program level) and use the results to develop and implement an agency-wide plan to move HUD’s fraud risk management program out of the ad hoc phase.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements.  This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations.

Develop an enterprise-wide IT modernization strategy that establishes a framework to align with the IT modernization roadmap.

Corrective Action Taken

In January, 2024, HUD provided an OCIO approved an IT Modernization strategy that established a framework that aligned with its IT modernization roadmap. The strategy addressed each of the recommendation components (a. roles and responsibilities, b. prioritization of modernization initiatives, c. coordination process between OCIO and program offices, d. phased approach, and e. how lessons learned will be captured.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs.  Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, the Office of Multifamily Housing must provide evidence of an action plan or policy that includes procedures to ensure households living in multifamily units have a sufficient supply of safe drinking water.

Implementation of this recommendation will enable HUD to have sufficient oversight and control activities in place to ensure households living in multifamily housing have a sufficient supply of safe drinking water.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide.  HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution.  Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.