The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the Chief Financial Officer enhance existing policies to establish a formal grant accrual risk management framework to help ensure consistent standards across HUD with regard to the development, review, and execution of the grant accrual and validation. This framework should include 1) identifying grant accrual estimation risk, assessing the magnitude of this risk, and managing the risks that arise when using certain quantitative estimation methods, 2) a governance structure that includes estimation ownership, oversight, and framework assessment, 3) the creation of a committee that is responsible for establishing a holistic approach to estimation risk management, including key stakeholders from OCFO and program offices, such as CPD, and 4) a requirement for documentation of committee meeting agendas, minutes, and key decisions and discussion points which impacts the various grant accrual methodologies across the Department.

HUD OCIO should a) resolve the conflicts between its Inventory of Automated Systems (IAS) policy and web applications policy to clarify if web applications will be inventories in IAS, the web application Sharepoint site, or both; and b) implement the chosen resolution to this conflict to develop a consistent inventory of web applications (IG FISMA metric 1).

HUD OCIO should implement an automated governance, risk, and compliance tool to manage risk from all sources across the three tiers of the organization in a timely manner. This recommendation updates FY 2021 FISMA recommendation number 5 (IG FISMA metrics 5, 9, and 10).

HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

Develop and fully implement a departmentwide policy for the monthly transaction review process that requires program office participation and timely completion of the review and certification.

Update OCFO’s travel card monitoring procedures to obtain, review, and monitor the IBA Use report on a regular basis to ensure compliance with purchases required to be made on the government travel card.

HUD’s Office of the Chief Financial Officer (OCFO), in coordination with other appropriate program offices, should define and implement a risk-based process to assess and document IT risk management personnel resourcing needs and that those personnel are allocated effectively to support HUD’s risk management program (IG FISMA metric 7).

HUD OCFO, in coordination with other appropriate program offices, should define and implement a process to document and allocate non-personnel risk management resources in a risk-based manner, to include but not limited to funding, processes, and technology (IG FISMA metric 7).

HUD OCIO should implement a process to consistently update and maintain its inventory of hardware assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized hardware assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should report at least 80 percent of its government-furnished equipment through the DHS CDM program (IG FISMA metric 2).

HUD OCIO should implement a process to consistently update and maintain its inventory of software assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized software assets from the HUD network (IG FISMA metrics 2, 20, and 21).