Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC's lowered BLRV of 3.5 ug/dL.

Status

On January 17, 2025, HUD published a Federal Register notice to modify its EBLL threshold under its Lead Safe Housing Rule from to 5 to 3.5 micrograms of lead per deciliter of blood (µg/dL) for a child under the age of 6, consistent with the Centers for Disease Control and Prevention's current blood lead reference value of 3.5 µg/dL.

As of July 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that HUD has drafted a joint notice for HUD offices impacted by the modified elevated blood lead level (EBLL) threshold. These offices include OLHCHH, the Office of Community Planning and Development (CPD), the Office of Multifamily Housing Programs (MF), and the Office of Public and Indian Housing (PIH).

OLHCHH’s timeline to finish implementing the recommendation:

• The notice will enter the clearance process by the end of August.
• CPD, MF, PIH, and OLHCHH will publish the final joint notice by September 30, 2025.

The estimated completion date for these actions is September 30, 2025. The original estimated completion date was June 30, 2024, and was revised to account for the time required to (1) receive and review public comments on HUD’s proposed change to the EBLL threshold and (2) coordinate the implementation of the EBLL threshold change across the impacted HUD offices.

---

Analysis

To fully address this recommendation, OLHCHH must provide evidence that HUD has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Update applicable requirements to require assisted property owners, including PHAs, to maintain adequate documentation to support their determinations that maintenance and hazard reduction activities that disturb surfaces with lead-based paint qualify for the de minimis exemption from the lead-safe work practices under the Lead Safe Housing Rule.

Status

To address this recommendation, The Office of Lead Hazard Control and Healthy Homes (OLHCHH) agreed to:

1. Issue a notice to assisted target housing owners and public housing agencies on the de minimis exception citing the correct application of the de minimis threshold; describing appropriate documentation methods for the application of the de minimis threshold; and recommendations of best practices for documenting applications.
2. Collect additional data regarding the use of the de minimis threshold, including information on how private and public housing owners: (a) determine how much paint in target housing will be disturbed during a maintenance or rehabilitation project; (b) use the paint disturbance area information; (c) monitor the amount of paint disturbed in projects that are designed to disturb de minimis amounts of paint in target housing.
3. Design and conduct webinars, including at least one for each program office’s major categories of stakeholders on requirements and best practices pertaining to the de minimis exception under the Lead Safe Housing Rule and its implementation; record the webinars on the HUD website (e.g., on HUD Exchange) for future viewing by stakeholders; and conduct outreach promoting the webinars.

The OLHCHH had drafted guidance on the de minimis exception to the Lead Safe Housing Rule for PIH, Multifamily Housing, and CPD and submitted it through the clearance process in September 2024. As of July 2025, OLHCHH continues to revise the draft guidance in consideration of the comments it received during the clearance review process. HUD did not provide an updated target date to complete the agreed upon actions, which had been January 31, 2024.

Analysis

To implement this recommendation, HUD needs to provide evidence that it has implemented the three actions OLHCHH agreed to complete.

Implementation of this recommendation and associated corrective actions will ensure assisted property owners are sufficiently informed regarding the requirements to support their determinations that maintenance and hazard reduction activities that disturb surfaces with lead-based paint qualify for the de minimis exemption from the lead-safe work practices under the Lead Safe Housing Rule and that assisted property owners are conducting this work safely, thereby ensuring households are residing in safe and healthy HUD-assisted housing.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements.  This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations. 

Corrective Action

HUD finalized its Supply Chain Risk Management (SCRM) policy in April 2025, which utilizes a SCRM questionnaire to assess each vendor’s supply chain risk, and identifies and prioritizes risks accordingly.  HUD’s SCRM program team manages a supply chain risk register which records prior and current vendors, and those that have undergone risk assessments to maintain visibility into its upstream suppliers and track changes over time.  HUD also used multiple tools such as supply chain risk criteria and sourcing research and market analysis to evaluate vendors and strengthen protection of the supply chain during acquisition.  By implementing these procedures, as well as, having HUD’s program management team conducting annual and quarterly performance reviews for all vendors, HUD ensures contractors are meeting their contractual obligations.

Develop an enterprise-wide IT modernization strategy that establishes a framework to align with the IT modernization roadmap.

Corrective Action Taken

In January, 2024, HUD provided an OCIO approved an IT Modernization strategy that established a framework that aligned with its IT modernization roadmap. The strategy addressed each of the recommendation components (a. roles and responsibilities, b. prioritization of modernization initiatives, c. coordination process between OCIO and program offices, d. phased approach, and e. how lessons learned will be captured.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

HUD previously reported that it was implementing a software management tool with an expected implementation date of quarter 2 of FY 2025; however, between quarter 2 and 3 of FY 2025, HUD personnel has stated that the tool would not meet the agency’s needs. Accordingly, HUD is looking at a new tool to implement this program and collaborating with the DHS continuous diagnostics and monitoring team to analyze options. HUD has not provided an estimated completion date.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and that the whitelist is implemented per the NIST Special Publication 800-167 or otherwise accept the risk of not controlling access to its network and document mitigating measures via a Risk-Based Decision memorandum.

HUD has defined a requirement in HUD Handbook 3257.1, Rev. 3, “Software License Management Policy” for the Configuration Control Management Board and Technical Review Committee to be responsible for maintaining the list of allowed and prohibited software. However, a tool to enforce this list is required to implement the recommendation.

The implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its approved software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Nonprivileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprise-wide. HUD is in the process of conducting baseline surveys for all 200+ systems to determine how to handle systems that need architectural adjustments to utilize the tool. This is assisting HUD in developing an agency-wide implementation plan, which is expected to take several years to implement.

Analysis

To fully address this recommendation, HUD must implement multifactor authentication enterprise-wide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Privileged users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.

Corrective Action Taken

In January 2023, HUD's Office of the Chief Information Officer developed and released a Web Applications Directive to all HUD program offices. This directive described how web applications are defined, approved, inventoried, and maintained, including processes for tracking, and monitoring such applications.