HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

HUD OCIO should implement a process to consistently update and maintain its inventory of hardware assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized hardware assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should report at least 80 percent of its government-furnished equipment through the DHS CDM program (IG FISMA metric 2).

HUD OCIO should update its software inventory policies and procedures to account for critical software as defined by EO 14028 (IG FISMA metrics 3 and 21).

HUD OCIO should implement policies and procedures to maintain inventories of critical software and software licenses, critical software platforms, and all software installed on critical software platforms (both critical software and noncritical software) and use the inventory of critical software platforms and all software installed on them to ensure that only supported versions of software are used on those critical software platforms (IG FISMA metrics 3 and 21).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD’s defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

Implement a transparent process for reviewing open-ended exit survey results and sharing those results with ODEEO, as appropriate, and program offices while still protecting former employees’ confidentiality.

Assess what departing employees mean when they indicate that organizational culture is a motivation for leaving HUD.

Develop guidance for the program offices to identify the causes behind high attrition rates in governmentwide high-risk MCOs and field offices in large cities.

Develop guidance for program offices to develop program office-specific action plans to address any causes found for high attrition rates in governmentwide high-risk MCOs and field offices in large cities.

Create a single, unified agency-specific MCO list updated to reflect current progress toward closing skills gaps.

Complete and update the system security plans for GMP and DRGR and issue an SSN justification memorandum.

Identify and provide additional role-based training, guidance, and instructions to CPD employees on how to appropriately handle and safeguard PII encountered during monitoring.

Reinforce the use and admissibility of photographs and videos for evidence collection while remote monitoring.

Identify strategic opportunities to use remote monitoring early in the FY to maximize its responsibility to oversee and monitor its grantees and then use remote monitoring when those opportunities arise.

Create a plan and timeline that outlines OFO’s proposal to make necessary improvements to the EBLL tracker, such as moving it to a different platform.

Provide field office staff access to historical data in the EBLL tracker to be readily available as needed, with adequate protection of PII.

Update the EBLL tracker to show whether one or multiple children have an EBLL and whether the unit, building, or development previously had an EBLL reported.