HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD (a) identify all contracts related to its programs that pre-date July 1, 2013 and that have not yet been modified to include Section 4712 whistleblower protections; and (b) review all contracts entered into on or after July 1, 2013, to ensure they include a clause that requires contractors to comply with Section 4712.

Status

HUD provided a Management Plan that identifies actions HUD is taking to address the recommendation. The OIG and HUD have not reached an agreement that the actions proposed will fully address the recommendations. Additionally, HUD has not completed several of the proposed actions and is still collecting information that responds to the recommendations.

Analysis

To fully address this recommendation, HUD must (a) identify all contracts related to its programs that pre-date July 1, 2013, and that have not yet been modified to include Section 4712 whistleblower protections; and (b) review all contracts entered on or after July 1, 2013, to ensure they include a clause that requires contractors to comply with Section 4712.

Implementation of this recommendation will ensure that Section 4712 whistleblower protections will apply to all individuals working for HUD contractors.

Seek voluntary cooperation from program participants to proactively modify pre-2013 contracts for the purpose of including a clause requiring compliance with Section 4712.

Status

HUD provided a Management Plan that identifies actions HUD is taking to address the recommendation. The OIG and HUD have not reached an agreement that the actions proposed will fully address the recommendations. Additionally, HUD has not completed several of the proposed actions and is still collecting information that responds to the recommendations.

Analysis

To fully address this recommendation, HUD must provide evidence that it has sought voluntary cooperation from program participants to proactively modify pre-2013 contracts for the purpose of including a clause requiring compliance with Section 4712.

Implementation of this recommendation will ensure that Section 4712 whistleblower protections will apply to all individuals working for HUD contractors.

Use its best efforts to include a clause requiring compliance with Section 4712 at the time of major modifications to contracts with program participants with whom HUD is unable to gain voluntary cooperation.

Status

HUD provided a Management Plan that identifies actions HUD is taking to address the recommendation. The OIG and HUD have not reached an agreement that the actions proposed will fully address the recommendations. Additionally, HUD has not completed several of the proposed actions and is still collecting information that responds to the recommendations.

Analysis

To fully address this recommendation, HUD must provide evidence that it has taken steps to ensure that it includes a clause requiring compliance with Section 4712 at the time of major modifications to contracts with program participants with whom HUD is unable to gain voluntary cooperation.

Implementation of this recommendation will ensure that Section 4712 whistleblower protections will apply to all individuals working for HUD contractors.

HUD seek legislative authority to expeditiously include Section 4712 protections within contracts for which HUD believes it must otherwise wait until there is a major modification.

HUD develop and implement controls to ensure that the provisions of Section 4712 are included in all contracts.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.