Update applicable requirements to require assisted property owners, including PHAs, to maintain adequate documentation to support their determinations that maintenance and hazard reduction activities that disturb surfaces with lead-based paint qualify for the de minimis exemption from the lead-safe work practices under the Lead Safe Housing Rule.

Status

To address this recommendation, The Office of Lead Hazard Control and Healthy Homes (OLHCHH) agreed to:

1. Issue a notice to assisted target housing owners and public housing agencies on the de minimis exception citing the correct application of the de minimis threshold; describing appropriate documentation methods for the application of the de minimis threshold; and recommendations of best practices for documenting applications.
2. Collect additional data regarding the use of the de minimis threshold, including information on how private and public housing owners: (a) determine how much paint in target housing will be disturbed during a maintenance or rehabilitation project; (b) use the paint disturbance area information; (c) monitor the amount of paint disturbed in projects that are designed to disturb de minimis amounts of paint in target housing.
3. Design and conduct webinars, including at least one for each program office’s major categories of stakeholders on requirements and best practices pertaining to the de minimis exception under the Lead Safe Housing Rule and its implementation; record the webinars on the HUD website (e.g., on HUD Exchange) for future viewing by stakeholders; and conduct outreach promoting the webinars.

The OLHCHH had drafted guidance on the de minimis exception to the Lead Safe Housing Rule for PIH, Multifamily Housing, and CPD and submitted it through the clearance process in September 2024. As of July 2025, OLHCHH continues to revise the draft guidance in consideration of the comments it received during the clearance review process. HUD did not provide an updated target date to complete the agreed upon actions, which had been January 31, 2024.

Analysis

To implement this recommendation, HUD needs to provide evidence that it has implemented the three actions OLHCHH agreed to complete.

Implementation of this recommendation and associated corrective actions will ensure assisted property owners are sufficiently informed regarding the requirements to support their determinations that maintenance and hazard reduction activities that disturb surfaces with lead-based paint qualify for the de minimis exemption from the lead-safe work practices under the Lead Safe Housing Rule and that assisted property owners are conducting this work safely, thereby ensuring households are residing in safe and healthy HUD-assisted housing.

HUD OCIO should implement procedures to ensure that information in cybersecurity risk registers is obtained accurately, consistently, and in a reproducible format and is used to a. quantify and aggregate security risks, b. normalize cybersecurity risk information across organizational units, and c. prioritize operational risk response (derived from metric 5).

HUD OCIO and the HUD Chief Risk Officer should coordinate to implement procedures to monitor the effectiveness of cybersecurity risk responses to ensure that risk tolerances are maintained at an appropriate level (derived from metric 5).

HUD OCIO and the Office of Administration should implement procedures to ensure proper validation of media sanitization in accordance with HUD Media Protection Procedures 2.0 (February 2022) and form HUD 1067A, Certification of Sanitization (derived from metric 36).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should ensure that system owners and information system security officers consistently test their ISCPs and upload the test results to CSAM in accordance with HUD’s defined ISCP testing policy (derived from metric 63).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and supply chain risk management (SCRM) requirements.  This recommendation includes (a) identification and prioritization of externally provided systems (new and legacy), components, and services; (b) how HUD maintains awareness of its upstream suppliers; (c) the integration of acquisition processes, tools, and techniques to use the acquisition process to protect the supply chain; and (d) contract tools or procurement methods to confirm that contractors are meeting their obligations. 

Corrective Action

HUD finalized its Supply Chain Risk Management (SCRM) policy in April 2025, which utilizes a SCRM questionnaire to assess each vendor’s supply chain risk, and identifies and prioritizes risks accordingly.  HUD’s SCRM program team manages a supply chain risk register which records prior and current vendors, and those that have undergone risk assessments to maintain visibility into its upstream suppliers and track changes over time.  HUD also used multiple tools such as supply chain risk criteria and sourcing research and market analysis to evaluate vendors and strengthen protection of the supply chain during acquisition.  By implementing these procedures, as well as, having HUD’s program management team conducting annual and quarterly performance reviews for all vendors, HUD ensures contractors are meeting their contractual obligations.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.