The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD provided a corrective action plan for this recommendation in May 2025. The planned corrective action requires the agency to acquire a data management system, develop cataloging standards, and coordinate with the program offices stated in the recommendation to ensure data is handled in a secure manner. The procurement process has not yet begun, yet in their initial plans, HUD will require vendor support to develop this tool. The estimated completion date of this recommendation is September 2027.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-03 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Corrective Action Taken

On September 10, 2025, HUD took action to close priority recommendation 6 from HUD OIG Evaluation Report 2021-OE-0011b, Improvements are Needed to HUD’s Processes for Monitoring Elevated Blood Lead Levels and Lead-Based Paint Hazards in Public Housing, issued February 28, 2023.  HUD’s Office of Public and Indian Housing, Office of Field Operations (OFO), conducted research and comparative analysis of nine identified field offices and PHAs with unreported elevated blood lead levels (EBLL) and obtained the missing documentation and entered it into the EBLL tracker.  Additionally, OFO revised the EBLL tracker job aid, published new EBLL guidance, held office hours and group and individual trainings for OFO staff, and developed a PowerBI dashboard to accompany the EBLL tracker to allow for the visual monitoring of EBLL cases with outstanding or nearing deadlines.  These corrective actions have increased the effectiveness of the EBLL tracker and enhanced the accuracy of HUD records.  HUD can now ensure that EBLL cases are both reported and recorded in the EBLL tracker appropriately so that it can track progress towards addressing EBLLs and close EBLL cases in a timely manner.

Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC's lowered BLRV of 3.5 ug/dL.

Status

On January 17, 2025, HUD published a Federal Register notice to modify its EBLL threshold under its Lead Safe Housing Rule from to 5 to 3.5 micrograms of lead per deciliter of blood (µg/dL) for a child under the age of 6, consistent with the Centers for Disease Control and Prevention's current blood lead reference value of 3.5 µg/dL.

As of July 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has drafted a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold. These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).

OLHCHH’s timeline to finish implementing the recommendation:

• The notice will enter the clearance process by the end of August.
• CPD, MF, PIH, and OLHCHH will publish the final joint notice by September 30, 2025.

The estimated completion date for these actions is September 30, 2025. The original estimated completion date was June 30, 2024, and was revised to account for the time required to (1) receive and review public comments on HUD’s proposed change to the EBLL threshold and (2) coordinate the implementation of the EBLL threshold change across the impacted HUD offices.

---

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements.  This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations. 

Corrective Action

HUD finalized its Supply Chain Risk Management (SCRM) policy in April 2025, which utilizes a SCRM questionnaire to assess each vendor’s supply chain risk, and identifies and prioritizes risks accordingly.  HUD’s SCRM program team manages a supply chain risk register which records prior and current vendors, and those that have undergone risk assessments to maintain visibility into its upstream suppliers and track changes over time.  HUD also used multiple tools such as supply chain risk criteria and sourcing research and market analysis to evaluate vendors and strengthen protection of the supply chain during acquisition.  By implementing these procedures, as well as, having HUD’s program management team conducting annual and quarterly performance reviews for all vendors, HUD ensures contractors are meeting their contractual obligations.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

In November 2024, OCPO submitted an IT Acquisition Workflow Report and a document outlining responsibilities as evidence for closure. Although these documents clarified existing roles and documented one sample workflow, they did not propose or implement revised IT-acquisition policies or procedures producing measurable improvements. As of July 2025, OIG received no further information that identifies improvements in the IT acquisition process.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in defined IT acquisition process workflow procedures to increase efficiency and ensure coordination across program offices.

Create and implement a knowledge management strategy, such as developing standard operating procedures, reference sheets, and program office fact sheets.

Corrective Action Taken

OCHCO developed and implemented client profiles for each HUD program office to address knowledge loss and the need for offices to explain or reexplain their mission and functions. The profiles will serve as a central repository to learn about the various programs and missions of HUD and will allow OCHCO staff, other key HUD program office staff, and HUD’s service provider staff to view critical information for each HUD program office.

Develop an enterprise-wide IT modernization strategy that establishes a framework to align with the IT modernization roadmap.

Corrective Action Taken

In January, 2024, HUD provided an OCIO approved an IT Modernization strategy that established a framework that aligned with its IT modernization roadmap. The strategy addressed each of the recommendation components (a. roles and responsibilities, b. prioritization of modernization initiatives, c. coordination process between OCIO and program offices, d. phased approach, and e. how lessons learned will be captured.

Develop and issue a departmentwide policy that notes that radon is a radioactive substance and outlines HUD's requirements to test for and mitigate excessive radon levels in accordance with 24 CFR 50.3(i)(1) and 58.5(i)(2)(i).

Corrective Action Taken

None Given.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.

Corrective Action Taken

In January 2023, HUD's Office of the Chief Information Officer developed and released a Web Applications Directive to all HUD program offices. This directive described how web applications are defined, approved, inventoried, and maintained, including processes for tracking, and monitoring such applications.