Provide adequate documentation to support its administrative and project delivery cost expenditures or repay the program $1,388,545 from non-Federal funds.

Provide supporting documentation to show whether the outstanding liability of $324,478 is correctly classified as an NSP2 liability. If not, HUD should ensure that NHSLA corrects its NSP2 cost reimbursement summary for the 12 months ending June 30, 2018, to reclassify the expenses to a non-NSP2 program. Such funds would be considered funds to be put to better use.

Obtain training to ensure that it understands NSP2 regulations and requirements related to payroll allocation for its administrative and project delivery costs and program income calculation methodology to ensure it properly computes the amount it is allowed to charge for administrative costs.

Support the reasonableness of the South Gate contract or repay NSP2 $856,692 from non-Federal funds.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement its procurement controls to ensure that it is able to locate and maintain the complete procurement documents for at least 3 years after the closeout of NSP1 and NSP3 in compliance with its own procedures and HUD regulations.

Provide the required documents to support $161,131 in NSP1 and $109,525 in NSP3 funds for expenses for acquisition, rehabilitation, and administration. If the City cannot provide the required documents, it should repay the U.S. Treasury from non-Federal funds.

Obtain technical assistance from HUD to ensure that it is able to manage the programs and comply with program regulations before processing future expenses related to NSP1 and NSP3 projects and activities.

Follow its NSP procedures and HUD regulations to complete and submit its future NSP1 and NSP3 HUD quarterly performance reports and annual single audit reports within the required timeframes until the closeout of the respective programs or until HUD is assured that these reports are consistently submitted on time.

Follow its own procedures and HUD regulations to post the missing 21 NSP1 and 22 NSP3 HUD quarterly performance reports, as of June 30, 2019, on its official website; and, post the future NSP1 and NSP3 HUD quarterly performance reports on its website until the closeout of the respective programs or until HUD is assured that these reports are consistently posted on its website.

Obtain technical assistance from HUD to ensure that the City is able to submit its quarterly performance reports and annual single audit reports on time and post the performance reports on its website to comply with program regulations.

Require lenders to obtain the borrowers’ consent to verify the existence of delinquent Federal taxes with the IRS during loan origination and deny any applicant with delinquent Federal tax debt and no payment plan or a noncompliant payment plan or an applicant refusing to provide consent from receiving FHA insurance to put at least $6.1 billion to better use by avoiding potential future costs to the FHA insurance fund.

Status

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Analysis

To fully address this recommendation, HUD will need to provide evidence that it established a method of borrower consent to verify the existence of delinquent federal taxes including, but not limited to one of the options OIG provided, which were (1) lenders obtaining the borrowers' consent to obtain their tax records directly from the IRS or (2) borrowers accessing their own tax information and submitting it to the lenders.

Implementation of this rule should result in HUD putting $6.1 billion to better use.

Issue a formal policy and requirements for managing CUI.