The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide.  HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems.  In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool.  This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.  As of January 2026, HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution.  Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the Director of HUD’s Office of Davis-Bacon and Labor Standards seek guidance from the Department of Labor to correct the wage determinations where applicable for the five projects addressed in this report.

We recommend that the Director of HUD’s Office of Davis-Bacon and Labor Standards based on the outcome of recommendation 1A, determine the correct wages to be paid to workers and ensure that appropriate actions are taken to pay the workers.

We recommend that the Director of HUD’s Office of Davis-Bacon and Labor Standards update HUD Handbook 1344.1, REV-2, CHG-2, and Labor Relations Letter No. LR-96-03 to comply with the Department of Labor’s policies and guidance on the application of wage determinations for construction projects.

We recommend that the Director of HUD’s Office of Davis-Bacon and Labor Standards develop and implement controls to ensure that the appropriate Davis-Bacon wage rate determinations are implemented in the contracts of FHA-insured multifamily construction projects that require multiple wage determinations, including the requirement that contract specifications clearly identify the portions of the contract subject to each assigned wage determination, and that adequate documentation to support wage determinations is maintained.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.