The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should a) resolve the conflicts between its Inventory of Automated Systems (IAS) policy and web applications policy to clarify if web applications will be inventories in IAS, the web application Sharepoint site, or both; and b) implement the chosen resolution to this conflict to develop a consistent inventory of web applications (IG FISMA metric 1).

HUD OCIO should implement an automated governance, risk, and compliance tool to manage risk from all sources across the three tiers of the organization in a timely manner. This recommendation updates FY 2021 FISMA recommendation number 5 (IG FISMA metrics 5, 9, and 10).

HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity update protocols to promote consistent expectations for timely supervisory, legal, and headquarters reviews of complex cases.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update the MOUs with OGC for each region to identify and remove inefficiencies that can lead to longer FHEO investigation times and OGC review times and identify best practices that can be implemented across all regions.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update investigative processes followed by each regional office to identify best practices that can be implemented across all regions and identify and remove inefficiencies that can lead to longer investigation times.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to update its intake policy and procedure to clarify which inquiries are to be recorded in HEMS.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to develop an internal agency intake training guide, distribute it to all agency housing staff members, and ensure that all intake staff members participate in HUD-approved training related to intake.