Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

The Office of the Chief Information Officer (OCIO) estimated it would complete corrective action for this recommendation by August 2023. In May 2024, HUD OIG reviewed the OCIO progress in closing this recommendation as part of the FY 2024 FISMA evaluation. At that time, OCIO provided its draft SCRM Policy, draft SCRM Procedures, final SCRMES Charter, and a SCRM Technical Roadmap. Additionally, HUD provided agency-specific clauses. As of January 2025, HUD has not issued finalized SCRM policies and procedures.

Analysis

To fully address this recommendation, HUD must establish that it has defined and communicated policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements.

Implementation of this recommendation will result in HUD continuing to mature in supply chain risk management, establishing and defining the policies and procedures of SCRM requirements as they relate to systems and system components.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.