HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should implement procedures to ensure that digital identity risk assessments have been performed and documented in accordance with HUD’s defined procedures and Federal guidelines (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should develop and implement processes to monitor and analyze qualitative and quantitative performance measures for the effectiveness of its ISCM program (IG FISMA metric 47).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance.

Status

As of January 30, 2026, HUD has not provided a management decision, detailed plan, or timeline as to how HUD will respond to the recommendation.  When OIG inquired on the status of this recommendation, HUD reported it had completed work in this area that was reflected in its fiscal year 2025 Annual Financial Report (AFR). However, based on what HUD reported it is unclear if it addressed our recommendation. OIG recently initiated the annual Payment Integrity Information Act (PIIA) audit which reviews HUD’s payment integrity information to determine HUD’s compliance. During this audit OIG will also determine the status of HUD’s efforts in terms of this recommendation.

Analysis

For HUD to close this recommendation, it must finish testing the full life cycle of payments in these programs and publicly report estimates of the improper payments in them. Merely producing a plan with future action target dates is not sufficient to meet the spirit of this recommendation.

PBRA and PIH-TBRA are the two largest program expenditures in HUD's portfolio, totaling $55.6 billion in FY 25, or 62.5 percent of HUD's total expenditures. HUD has been challenged with developing a compliant sampling methodology that can test the full payment cycle, and, that can be executed within the required timeframes. To fully address this recommendation, the sampling methodology should test the full payment cycle, and the associated sample testing and statistical estimation must be completed in time to be included in the Annual Financial Report.
Implementation of this recommendation will result in HUD better-safeguarding taxpayer dollars and decrease improper payments.

Implement a transparent process for reviewing open-ended exit survey results and sharing those results with ODEEO, as appropriate, and program offices while still protecting former employees’ confidentiality.

Assess what departing employees mean when they indicate that organizational culture is a motivation for leaving HUD.

Develop guidance for the program offices to identify the causes behind high attrition rates in governmentwide high-risk MCOs and field offices in large cities.

Develop guidance for program offices to develop program office-specific action plans to address any causes found for high attrition rates in governmentwide high-risk MCOs and field offices in large cities.

Create a single, unified agency-specific MCO list updated to reflect current progress toward closing skills gaps.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.