Determine the appropriate timeframe for when initial management and occupancy reviews (MORs) should be completed for all properties that convert under the Rental Assistance Demonstration and issue updated guidance that includes a system to track the timeliness of initial MORs.

Complete the initial management and occupancy reviews (MORs) for the Rental Assistance Demonstration properties that have not had an initial MOR.

Develop and implement a plan to determine how to implement the risk-based approach to review the Rental Assistance Demonstration properties that have not had subsequent management and occupancy reviews (MORs) in more than 3 years and to require periodic MORs going forward.

Develop and implement a plan to review the reserve for replacement accounts for all converted properties from the date on which the account was established to the date of the review. Based on the reviews completed, HUD should take appropriate actions to ensure that reserve for replacement accounts are appropriately funded or determine whether overfunded accounts should have the deposits suspended for a specified period.

Implement adequate procedures and controls to ensure that servicing lenders comply with HUD time requirements in scheduling initial inspections of FHA-insured RAD PBV properties.

Determine an appropriate timeframe in which non-FHA-insured Project-Based Rental Assistance (PBRA) properties converted under the Rental Assistance Demonstration should be initially inspected, work with HUD’s Real Estate Assessment Center (REAC) to ensure that inspections are ordered and completed within that timeframe, and update HUD’s publicly available and internal guidance to ensure consistent messaging in accordance with HUD’s determination.

Review whether potential violations of the Antideficiency Act took place because of implementing or enforcing any nondisclosure policies, forms, or agreements that do not include the anti-gag provision as required by law. If it is determined that a violation occurred, the Chief Financial Officer should take disciplinary actions as appropriate and report the identified violations to the oversight authorities, including the HUD Secretary, the President, the Office of Management and Budget, Congress, and the Comptroller General.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.