Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance.

Status

In response to the Management Alert, the Deputy Secretary stated that she would provide a plan in 30 days. On April 10, 2024, the Chief Financial Officer, Assistant Secretary for Housing, and Principal Deputy Assistant Secretary for Public and Indian Housing (PIH) stated their respective executives had been working together to develop a plan to accelerate HUD’s ability to produce statistically valid estimates. With respect to PBRA, HUD planned to use ongoing data collection for fiscal year (FY) 2023 tier 1 and tier 2 payments to develop a statistical estimate in FY 2024.

However, our recent Payment Integrity Information Act audit determined that neither program produced a compliant estimate in fiscal year 2024. For multifamily-PBRA, HUD made some progress and reported an estimate that captured part of the payment cycle; however, the estimate did not include testing to ensure that housing assistance payments from contract administrators to owners were calculated correctly and supported by tenant-level documentation. The PIH-TBRA program did not produce an estimate at all, noting that IT system modernization must occur first. However, PIH has not yet provided a plan that indicates how the system upgrades will address this issue or a timeline for implementation. As of July 2025, HUD indicated that under its new leadership team it was making progress, but could not provide specifics about the progress made, a detailed plan or timeline, or a management decision detailing its corrective action plan. It remains unclear how HUD will produce a complete estimate of the PBRA programs in future years, and when it will be able to produce an estimate for PIH-TBRA.

Analysis

For HUD to close this recommendation, it must finish testing the full life cycle of payments in these programs and publicly report estimates of the improper payments in them. Merely producing a plan with future action target dates is not sufficient to meet the spirit of this recommendation.

PBRA and PIH-TBRA are the two largest program expenditures in HUD's portfolio, totaling $50 billion in FY 24, or 62.4 percent of HUD's total expenditures. HUD has been challenged with developing a compliant sampling methodology that can test the full payment cycle and that can be executed within the required timeframes. To fully address this recommendation, the sampling methodology should test the full payment cycle, and the associated sample testing and statistical estimation must be completed in time to be included in the Annual Financial Report.

Implementation of this recommendation will result in HUD better-safeguarding taxpayer dollars and decrease improper payments.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements.  This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations. 

Corrective Action

HUD finalized its Supply Chain Risk Management (SCRM) policy in April 2025, which utilizes a SCRM questionnaire to assess each vendor’s supply chain risk, and identifies and prioritizes risks accordingly.  HUD’s SCRM program team manages a supply chain risk register which records prior and current vendors, and those that have undergone risk assessments to maintain visibility into its upstream suppliers and track changes over time.  HUD also used multiple tools such as supply chain risk criteria and sourcing research and market analysis to evaluate vendors and strengthen protection of the supply chain during acquisition.  By implementing these procedures, as well as, having HUD’s program management team conducting annual and quarterly performance reviews for all vendors, HUD ensures contractors are meeting their contractual obligations.

Develop an enterprise-wide IT modernization strategy that establishes a framework to align with the IT modernization roadmap.

Corrective Action Taken

In January, 2024, HUD provided an OCIO approved an IT Modernization strategy that established a framework that aligned with its IT modernization roadmap. The strategy addressed each of the recommendation components (a. roles and responsibilities, b. prioritization of modernization initiatives, c. coordination process between OCIO and program offices, d. phased approach, and e. how lessons learned will be captured.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.

Corrective Action Taken

In January 2023, HUD's Office of the Chief Information Officer developed and released a Web Applications Directive to all HUD program offices. This directive described how web applications are defined, approved, inventoried, and maintained, including processes for tracking, and monitoring such applications.