HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

Determine how to measure the impact of recruitment efforts related to individuals who identiy as Hispanic or Latino.

Implement a process to measure the impact of recruitment efforts related to individuals who identify as Hispanic or Latino.

Implement a process to collect and maintain information about recruitment efforts related to indiviuals who identify as Hispanic or Latino from all HUD program offices and their respective field offices.

We recommend that the Deputy Secretary Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance. Status In response to the Management Alert, the Deputy Secretary stated that she would provide a plan in 30 days. On April 10, 2024, the Chief Financial Officer, Assistant Secretary for Housing, and…

Develop and implement adequate procedures and controls to ensure that (1) staff issues notices of violation and default within 15 calendar days of the inspection report release date and (2) the Office of Multifamily Asset Management and Portfolio Oversight is made aware when notices are not issued within 15 calendar days after the inspection report release date and takes action as appropriate to ensure that future notices are issued in a timely…

Include language in future notices of violation and default clearly stating that owners are required to inspect all units (including vacant units), common areas, grounds, building systems, and sites as part of the owner survey and require owners to include sufficient detail in the surveys to show (1) when the survey was conducted and (2) that the survey was a complete survey of the project.

Develop and implement adequate policies, procedures, and controls to ensure that owner certifications and surveys and other relevant documents related to properties that fail inspections or are noted as having EHS deficiencies are maintained and retrievable from an easily accessible location.

Develop and implement adequate controls to ensure that HUD staff with the appropriate level of authority approves extensions to the notices of violation and default cure periods in writing and that documentation is maintained to support such approvals.

Modify the queries used to generate the schedules of properties that accompany the reports to Congress to consider a larger range of dates to ensure that properties that failed consecutive inspections are appropriately identified on all applicable schedules.