The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Create separate reporting lines between model development and model validation functions so that both critical model functions do not report to OER, are appropriately segregated in accordance with industry guidance, and follow the foundational component of internal control standards.

Implement its procurement controls to ensure that it is able to locate and maintain the complete procurement documents for at least 3 years after the closeout of NSP1 and NSP3 in compliance with its own procedures and HUD regulations.

Provide the required documents to support $161,131 in NSP1 and $109,525 in NSP3 funds for expenses for acquisition, rehabilitation, and administration. If the City cannot provide the required documents, it should repay the U.S. Treasury from non-Federal funds.

Repay the U.S. Treasury from non-Federal funds for the $1,550 overpaid to acquire a foreclosed NSP3 property.

Obtain technical assistance from HUD to ensure that it is able to manage the programs and comply with program regulations before processing future expenses related to NSP1 and NSP3 projects and activities.

Follow its NSP procedures and HUD regulations to complete and submit its future NSP1 and NSP3 HUD quarterly performance reports and annual single audit reports within the required timeframes until the closeout of the respective programs or until HUD is assured that these reports are consistently submitted on time.

Follow its own procedures and HUD regulations to post the missing 21 NSP1 and 22 NSP3 HUD quarterly performance reports, as of June 30, 2019, on its official website; and, post the future NSP1 and NSP3 HUD quarterly performance reports on its website until the closeout of the respective programs or until HUD is assured that these reports are consistently posted on its website.