We recommend that the Deputy Assistant Secretary instruct the Authority to develop and implement policies and detailed procedures to identify the risk analysis process for monitoring all CDBG-DR-funded activities during the course of the activity and require that the monitoring files document the basis for why an activity is or is not monitored.

We recommend that the Deputy Assistant Secretary instruct the Authority to train the CMU staff on the newly developed policies and procedures and obtain technical assistance from HUD as needed.

We recommend that the Director of the Office of Disaster Recovery require the State to implement policies and procedures that require maintaining documentation to ensure it can support compliance for the installation of 36-inch roof valley flashing.

We recommend that the Director of the Office of Disaster Recovery require the State to determine if the proper roof valley flashing was installed on the completed and in progress homes, and if not, require the State to install the correct roof valley flashing using non-Federal funds.

We recommend that the Director of the Office of Disaster Recovery require the State to enhance the system used to estimate costs, to include the Wildland-Urban Interface Code required roof valley flashing, or document in the system and its output the different materials and costs used.

We recommend that the Director of the Office of Disaster Recovery require the State to develop and implement a policy to identify ownership and primary residency earlier in the review process and potential red flags in documentation.

We recommend that the Director of the Office of Disaster Recovery require the State to document and support its decision regarding duplication of benefits and income verification for additional owners of the property under an application.

We recommend that the General Deputy Assistant Secretary, Office of Policy Development and Research, and the Deputy Chief Information Officer, Office of the Chief Information Officer develop the project management documents, as required by HUD’s Project Planning and Management Life Cycle V2.0 policy, including obtaining required approvals and ensuring that an adequate project risk management process is established for identifying, analyzing,…

HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

Revise HUD’s Controlled Unclassified Information Policy to include the anti-gag provision.

Revise HUD’s Controlled Unclassified Information Policy to state that (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

Review whether potential violations of the Antideficiency Act took place because of implementing or enforcing any nondisclosure policies, forms, or agreements that do not include the anti-gag provision as required by law. If it is determined that a violation occurred, the Chief Financial Officer should take disciplinary actions as appropriate and report the identified violations to the oversight authorities, including the HUD Secretary, the…

Implement a plan to annually survey all HUD program offices to identify nondisclosure policies, forms, and agreements issued and to determine whether they include the anti-gag provision as required by WPEA and, as necessary, to take corrective action to ensure that they include the anti-gag provision.

Communicate across HUD that (a) HUD employees are required to include the anti-gag provision in nondisclosure policies, forms, and agreements applicable to HUD employees and (b) program offices should consider requiring their employees to request OGC assistance when implementing and enforcing nondisclosure policies, forms, and agreements applicable to HUD employees.

Revise the Ginnie Mae Confidential Information Policy to state that in the future, (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.