The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the Chief Procurement Officer direct the contracting officers to review the current FSM contracts’ QASP and update accordingly to ensure that all minimum contract requirements are included.

We recommend that the Chief Procurement Officer direct the contracting officers to oversee the implementation of the current FSM contracts’ QASP.

We recommend that the Chief Procurement Officer require the contracting officers to implement the policies and procedures in the HUD Acquisition Policy and Procedure Handbook for completion of HUD’s FSM contractor performance assessment reports in CPARS to ensure that Government past performance is documented properly and in a timely manner, at least annually, for use by all Federal agencies and maintained in the contract files.

We recommend that the Chief Procurement Officer require all staff involved in the oversight of FSM contracts to maintain the required documentation in the official contract file identified by HUD policy to support the contracts.

We recommend that the Chief Procurement Officer require the contracting officers to formally designate CORs in a timely manner and maintain the required documentation in the proper location identified in the relevant HUD policies and procedures, which fully supports the CORs’ oversight of the FSM contract.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.

Assess its help desk system against other technical solutions and ensure that the help desk solution used captures complete data on technical support requests. This measure includes but is not limited to ensuring that sequence gaps are properly documented or do not occur, valid transactions are accepted by the help desk system, rejected transactions are identified, and the history of each transaction is retained.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).