HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the General Deputy Assistant Secretary, Office of Policy Development and Research, and the Deputy Chief Information Officer, Office of the Chief Information Officer develop the project management documents, as required by HUD’s Project Planning and Management Life Cycle V2.0 policy, including obtaining required approvals and ensuring that an adequate project risk management process is established for identifying, analyzing, and responding to project risks.

We recommend that the General Deputy Assistant Secretary, Office of Policy Development and Research; the Deputy Chief Information Officer; and the Director, Office of Disaster Recovery, identify and incorporate at least one additional data source into the Disaster Recovery Data Portal to further assist grantees with duplication of benefits assessments.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.