HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.  

Issue guidance to PHAs clarifying the timing of unit inspections and lead-based paint visual assessments to address the misinterpretation caused by the terms “annual” and “every 12 months.”

We recommend that the Chief Financial Officer enhance existing policies to establish a formal grant accrual risk management framework to help ensure consistent standards across HUD with regard to the development, review, and execution of the grant accrual and validation. This framework should include 1) identifying grant accrual estimation risk, assessing the magnitude of this risk, and managing the risks that arise when using certain…

We recommend that the Deputy Assistant Secretary for Operations of Community Planning and Development enhance CPDs existing Grant Accrual Standard Operating Procedures to strengthen governance within CPD and to effectively work within the framework established by the OCFO in recommendation 1A. The updated procedures should include increased ownership and oversight over the reviews, authorizations, approvals, and changes to the CPD grant…

Update selection rules for CAIVRS to provide for complete reporting of all ineligible borrowers to put $9.5 million to better use. Status In 2020, HUD suspended reporting delinquencies and defaults to the Credit Alert Verification Reporting System (CAIVRS) because these debts are owed to the lender and are not delinquent Federal debt. A debt is not delinquent until a payment is past due to HUD for a deficiency judgment against…

Update the Conveyance, Assignment, and Assumption Agreement to require purchasers to report final property outcomes and identifying information including those of third-party purchasers when applicable.

Enhance data collection and processing controls to ensure consistency in reporting data.

Enhance existing demonstration guidance within the Conveyance, Assignment, and Assumption Agreement to provide further detail regarding documentation retention requirements.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.