The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement the requirements of HUD’s current Debt Collection Handbook, to include (1) assigning a program office manager, (2) developing and implementing debt collection standard operating procedures, (3) designating program action officials, and (4) ensuring that program action officials are trained and perform debt collection duties in a timely manner in accordance with the Debt Collection Handbook; HUD Handbook 2000.06, REV-4, Audits Management System; and other pertinent guidance and policies to ensure the accurate reporting of receivables in the general ledger.

Review all executed repayment agreements in HUD’s Tenant Rental Assistance Certification System (TRACS) to determine which repayment agreements have not been fully repaid and represent an amount owed to HUD and work with OCFO to record these receivables.

Include a field in TRACS to identify which repayment agreements represent an amount owed to HUD and implement controls to ensure the accuracy of the listing in TRACS.

Develop and implement controls to track and enforce repayments owed to HUD to ensure that owners are not delinquent on their repayment agreements.

Adequately notify homeowners that, due to COVID-19, all FHA refund applications and supporting documents should be sent electronically to avoid delay in processing. This process should include (1) developing and expediting implementation of correspondence sent to homeowners with the application, (2) a notice of operational changes on HUD’s FHA refunds websites, (3) ensuring that HUD’s Does HUD Owe You a Refund website is updated to the most recent FHA Homeowners Fact Sheet, (4) an updated voice message from the call center including an accurate email, and (5) developing an updated script for call center agents for the initial contact with the homeowner, follow up, and contact with homeowners who already submitted their application by mail.

Conduct a privacy impact assessment for accepting homeowner FHA refund applications and supporting documentation that contain PII electronically to identify potential risks and develop and implement plans to mitigate those risks.

Develop and implement written policies and procedures for SFIOD to quickly respond to emergency situations when staff cannot return to the office. Procedures should include steps to quickly notify homeowners of any changes made to the FHA refund process.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.