Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement its procurement controls to ensure that it is able to locate and maintain the complete procurement documents for at least 3 years after the closeout of NSP1 and NSP3 in compliance with its own procedures and HUD regulations.

Provide the required documents to support $161,131 in NSP1 and $109,525 in NSP3 funds for expenses for acquisition, rehabilitation, and administration. If the City cannot provide the required documents, it should repay the U.S. Treasury from non-Federal funds.

Obtain technical assistance from HUD to ensure that it is able to manage the programs and comply with program regulations before processing future expenses related to NSP1 and NSP3 projects and activities.

Follow its NSP procedures and HUD regulations to complete and submit its future NSP1 and NSP3 HUD quarterly performance reports and annual single audit reports within the required timeframes until the closeout of the respective programs or until HUD is assured that these reports are consistently submitted on time.

Follow its own procedures and HUD regulations to post the missing 21 NSP1 and 22 NSP3 HUD quarterly performance reports, as of June 30, 2019, on its official website; and, post the future NSP1 and NSP3 HUD quarterly performance reports on its website until the closeout of the respective programs or until HUD is assured that these reports are consistently posted on its website.

Obtain technical assistance from HUD to ensure that the City is able to submit its quarterly performance reports and annual single audit reports on time and post the performance reports on its website to comply with program regulations.

Develop and implement an action plan that includes sufficient policies, procedures, and controls that address households living in multifamily housing units having a sufficient supply of safe drinking water […]

Status

In April 2022, HUD created draft standard operating procedures to address lead in the water of its multifamily housing units. On May 11, 2023, HUD published its National Standards for the Physical Inspection of Real Estate (NSPIRE) regulations that addressed lead in the water. Further, on June 30, 2023, HUD published its Implementation of National Standards for the Physical Inspection of Real Estate Administrative Procedures, which requires property owners and agents to provide information about water supply providers and water safety alerts, if applicable, prior to the commencement of a Real Estate Assessment Center (REAC) inspection. As a result, the Office of Multifamily Housing is revising its procedures and consulting with the Office of Lead Hazard Control and Healthy Homes (OLHCHH). As of February 2025, the OIG was waiting for additional information from the Office of Multifamily Housing demonstrating whether it has addressed the recommendation.

Analysis

To fully address this recommendation, the Office of Multifamily Housing must provide evidence of an action plan that includes its procedures that address households living in multifamily units to ensure that they have a sufficient supply of safe drinking water.

Implementation of this recommendation will enable HUD to have sufficient oversight and control activities in place to ensure households living in multifamily housing have a sufficient supply of safe drinking water.

Update and obtain final NARA approval of all HUD records retention schedules, including the Capstone email schedule, to comply with Federal requirements, including OMB M-19-21.

Develop and approve an enterprise strategy to meet all M-19-21 electronic transition requirements.

Issue a formal policy and requirements for managing CUI.

Complete the development of performance measures and establish a formal records evaluation process to measure the effectiveness and progress of the records management program.