We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to develop and implement detailed policies and procedures to guide staff in reporting performance outcomes in the QPR and on its disaster recovery website.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to revise its policies and procedures to include requirements to document its basis for activities’ meeting the national objective, including the rationale for the service area used and a list of acceptable documents to support that the area was primarily residential for the low- and moderate- income area benefit national objective.

We recommend that the Deputy Assistant Secretary instruct the Virgin Islands Housing Finance Authority to conduct training for Authority staff on the newly developed or revised policies and procedures

We recommend that the Deputy Assistant Secretary work with the Authority to assess the risk of potential improper payment for projects PW273 and PW100 and vouchers 576322, 583423, and 578761.

We recommend that the Deputy Assistant Secretary require HUD program staff to provide technical assistance to the Authority to address deficiencies noted throughout the audit report.

We recommend that the Deputy Assistant Secretary instruct the Authority to develop and implement monitoring policies and detailed procedures to guide the Authority’s CMU staff in assessing activity performance to meet the subrecipient monitoring requirements and establish written performance metrics to progressively achieve the performance outcome for those activities the Authority administers.

We recommend that the Deputy Assistant Secretary instruct the Authority to revise subrecipient agreements to include performance metrics and milestones tailored to the activity in sufficient detail to enable the Authority to collect information to effectively assess the activity’s performance.

We recommend that the Deputy Assistant Secretary instruct the Authority to revise the monthly status report template to allow the subrecipient to report its current progress against the established performance metrics.

We recommend that the Deputy Assistant Secretary instruct the Authority to develop a tracking process to ensure that the Authority issues monitoring reports and receives responses to these reports within the timeframe required by its policy. This process should also include a referral to management when the timeframe requirements are not met.

HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).

HUD’s Office of the Chief Financial Officer (OCFO), in coordination with other appropriate program offices, should define and implement a risk-based process to assess and document IT risk management personnel resourcing needs and that those personnel are allocated effectively to support HUD’s risk management program (IG FISMA metric 7).

HUD OCFO, in coordination with other appropriate program offices, should define and implement a process to document and allocate non-personnel risk management resources in a risk-based manner, to include but not limited to funding, processes, and technology (IG FISMA metric 7).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).

HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.

HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).