HUD (a) identify all contracts related to its programs that pre-date July 1, 2013 and that have not yet been modified to include Section 4712 whistleblower protections; and (b) review all contracts entered into on or after July 1, 2013, to ensure they include a clause that requires contractors to comply with Section 4712.

Status

HUD provided a Management Plan that identifies actions HUD is taking to address the recommendation. The OIG and HUD have not reached an agreement that the actions proposed will fully address the recommendations. Additionally, HUD has not completed several of the proposed actions and is still collecting information that responds to the recommendations.

Analysis

To fully address this recommendation, HUD must (a) identify all contracts related to its programs that pre-date July 1, 2013, and that have not yet been modified to include Section 4712 whistleblower protections; and (b) review all contracts entered on or after July 1, 2013, to ensure they include a clause that requires contractors to comply with Section 4712.

Implementation of this recommendation will ensure that Section 4712 whistleblower protections will apply to all individuals working for HUD contractors.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.