HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that HUD’s Deputy Assistant Secretary for Single Family Housing update policies and procedures regarding discrimination complaints to ensure consistency among customer service representatives in rerouting these complaints to FHEO.

We recommend that HUD’s Deputy Assistant Secretary for Single Family Housing ensure that the FHA Resource Center updates its training program to ensure that refresher training on housing discrimination is regularly provided to staff (such as monthly, quarterly, semiannually, etc.).

Develop a plan and a timeline that ensures all due and payable partial claims are transferred to the FOC, and subsequently processed by the FOC.

Develop and implement procedures to i) monitor the transfer of due and payable partial claims from NSC to the FOC for collection, ii) determine the financial statement impact of not referring due and payable partial claims to the FOC, and iii) decide when FHA will record a reclassification entry to accounts receivable for those due and payable partial claims that are not transferred to the FOC timely.

Consider accounting implications to the gross HECM loans receivable balance for the $20 million lost in security interests.

Record an adjusting entry to remove the duplicate $44 million from the gross HECM loans receivable balance as of September 30, 2023.

Identify and remove all duplicate transactions from the accounting module and prevent future occurrences.