HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity update protocols to promote consistent expectations for timely supervisory, legal, and headquarters reviews of complex cases.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update the MOUs with OGC for each region to identify and remove inefficiencies that can lead to longer FHEO investigation times and OGC review times and identify best practices that can be implemented across all regions.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update investigative processes followed by each regional office to identify best practices that can be implemented across all regions and identify and remove inefficiencies that can lead to longer investigation times.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to update its intake policy and procedure to clarify which inquiries are to be recorded in HEMS.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to develop an internal agency intake training guide, distribute it to all agency housing staff members, and ensure that all intake staff members participate in HUD-approved training related to intake.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to implement a record retention policy to ensure that decisions on inquiries are sufficiently supported.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to implement a plan to ensure that it has sufficient staff to meet its obligations under FHAP cooperative agreement.

We recommend that HUD’s Deputy Assistant Secretary for Enforcement require the Commission to implement a system to better track the intake and processing of potential fair housing inquiries.

HUD OCIO should implement a process to consistently update and maintain its inventory of hardware assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized hardware assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should report at least 80 percent of its government-furnished equipment through the DHS CDM program (IG FISMA metric 2).

HUD OCIO should implement a process to consistently update and maintain its inventory of software assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized software assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should update its software inventory policies and procedures to account for critical software as defined by EO 14028 (IG FISMA metrics 3 and 21).

HUD OCIO should implement policies and procedures to maintain inventories of critical software and software licenses, critical software platforms, and all software installed on critical software platforms (both critical software and noncritical software) and use the inventory of critical software platforms and all software installed on them to ensure that only supported versions of software are used on those critical software platforms (IG FISMA metrics 3 and 21).

HUD OCIO should in coordination with the Chief Risk Officer (CRO), document cybersecurity risk management roles and responsibilities in a consolidated list and; define procedures to hold personnel accountable to their assigned roles in the consolidated list (IG FISMA metric 7)

HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).

HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.