HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

We recommend that the Deputy Secretary Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance.

Status

In response to the Management Alert, the Deputy Secretary stated that she would provide a plan in 30 days. On April 10, 2024, the Chief Financial Officer, Assistant Secretary for Housing, and Principal Deputy Assistant Secretary for Public and Indian Housing (PIH) stated their respective executives had been working together to develop a plan to accelerate HUD’s ability to produce statistically valid estimates. With respect to PBRA, HUD plans to use ongoing data collection for fiscal year (FY) 2023 tier 1 and tier 2 payments to develop a statistical estimate in FY 2024.

However, our ongoing Payment Integrity Information Act audit has determined that neither program produced a compliant estimate in fiscal year 2024. For multifamily-PBRA, HUD made some progress and reported an estimate that captured part of the payment cycle; however, the estimate did not include testing to ensure that housing assistance payments from contract administrators to owners were calculated correctly and supported by tenant-level documentation. The PIH-TBRA program did not produce an estimate at all, noting that IT system modernization must occur first. However, PIH has not yet provided a plan that indicates how the system upgrades will address this issue or a timeline for implementation. As of January 31, 2025, a detailed plan or timeline has not been provided.

Analysis

As of January 31, 2025, HUD has not provided a detailed plan or timeline for OIG review. It remains unclear how HUD will produce a complete estimate of the PBRA programs in future years, and when it will be able to produce an estimate for PIH-TBRA.

For HUD to close this recommendation, it must finish testing the full life cycle of payments in these programs and publicly report estimates of the improper payments in them. Merely producing a plan with future action target dates is not sufficient to meet the spirit of this recommendation.

PBRA and PIH-TBRA are the two largest program expenditures in HUD's portfolio, totaling $50 billion in FY 24, or 62.4 percent of HUD's total expenditures. HUD has been challenged with developing a compliant sampling methodology that can test the full payment cycle and that can be executed within the required timeframes. To fully address this recommendation, the sampling methodology should test the full payment cycle, and the associated sample testing and statistical estimation must be completed in time to be included in the Annual Financial Report.

Implementation of this recommendation will result in HUD better-safeguarding taxpayer dollars and decrease improper payments.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Identify short- and long-term plans for the RPA program that align its capabilities, staffing needs, funding projections, and mission needs.

Implement procedures to capture and monitor centralized logs to maintain appropriate visibility into bot activities and provide for auditability of bot actions.

Implement procedures to periodically review RPA system access and remove access for users that are not authorized or no longer have a need to use the system.

Implement procedures to ensure that attended bots use the security rights and credentials of the attending user.

Research, evaluate, and implement technical or alternative solutions to deploy essential computer software updates using appropriate secure methods to ensure that computer security updates occur in a timely manner to minimize risk to HUD’s systems and operations

Research, evaluate, and implement technical solutions to provide additional improvements to VPN and related remote working capabilities of HUD system users.

Perform routine VPN stress tests as part of its contingency planning and testing processes to regularly identify and remediate network performance issues and ensure that network capabilities are sufficient for teleworking.

Research, evaluate, and implement technical solutions to resolve the user account management issues and the underlying issue in the technical environment.