HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the Chief Procurement Officer direct the contracting officers to review the current FSM contracts’ QASP and update accordingly to ensure that all minimum contract requirements are included.

We recommend that the Chief Procurement Officer direct the contracting officers to oversee the implementation of the current FSM contracts’ QASP.

We recommend that the Chief Procurement Officer require the contracting officers to implement the policies and procedures in the HUD Acquisition Policy and Procedure Handbook for completion of HUD’s FSM contractor performance assessment reports in CPARS to ensure that Government past performance is documented properly and in a timely manner, at least annually, for use by all Federal agencies and maintained in the contract files.

We recommend that the Chief Procurement Officer require all staff involved in the oversight of FSM contracts to maintain the required documentation in the official contract file identified by HUD policy to support the contracts.

We recommend that the Chief Procurement Officer require the contracting officers to formally designate CORs in a timely manner and maintain the required documentation in the proper location identified in the relevant HUD policies and procedures, which fully supports the CORs’ oversight of the FSM contract.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.