Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

Provide more detailed guidance to HUD reviewers on benchmarks for each performance standard.

Update the PAR template to ensure that HUD reviewers include required information.

Assess HUD reviewers’ skills and readiness to determine the appropriate frequency of training.

Provide more detailed guidance to HUD reviewers and FHEO regional directors on when and under what circumstances to recommend or issue a PIP.

Update HUD Handbook 8024.01, REV-2, and regional intake policies and procedures as necessary to include (1) minimum requirements that all regions follow for documenting in HEMS attempts to reach out to claimants when additional information is needed before closing inquiries; (2) policies and procedures for collecting, recording, and documenting all relevant electronic intake information in HEMS; and (3) clarifying that communications with claimants regarding inquiry closure, requests for additional information, and notices of jurisdiction information clearly inform the claimant of the ability to provide additional information within the statute of limitations.

Develop a process to oversee housing discrimination allegations that FHAP agencies close and do not submit to HUD for dual-filing to ensure that the closure and jurisdictional determinations are consistent with the Fair Housing Act. To help address this recommendation, HUD should consider requiring FHAP agencies to enter data on closed inquiries in HEMS and make updates to FHAP agreements as necessary.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.