Develop and implement a plan to review the reserve for replacement accounts for all converted properties from the date on which the account was established to the date of the review. Based on the reviews completed, HUD should take appropriate actions to ensure that reserve for replacement accounts are appropriately funded or determine whether overfunded accounts should have the deposits suspended for a specified period.

Implement adequate procedures and controls to ensure that servicing lenders comply with HUD time requirements in scheduling initial inspections of FHA-insured RAD PBV properties.

Determine an appropriate timeframe in which non-FHA-insured Project-Based Rental Assistance (PBRA) properties converted under the Rental Assistance Demonstration should be initially inspected, work with HUD’s Real Estate Assessment Center (REAC) to ensure that inspections are ordered and completed within that timeframe, and update HUD’s publicly available and internal guidance to ensure consistent messaging in accordance with HUD’s determination.

Status

As of January 2026, Multifamily Housing plans to develop and implement adequate policies, procedures, and controls to ensure non-FHA insured PBRA properties under RAD are inspected within 90 days after the original date of the HAP contract, unless the property has been approved for inspection delay during major rehabilitation, then within 90 days after the end of the approved inspection delay. Further, Multifamily Housing will provide appropriate updated guidance to both internal and external partners relative to non-FHA-insured PBRA properties converted under RAD.  The target completion date is March 31, 2026.

Analysis

Determining the appropriate timeframe for initial inspections would result in the timely identification and correction of life-threatening and non-life-threatening deficiencies.

The recommended corrective action has the potential to directly impact the health and safety of families.

Revise HUD’s Controlled Unclassified Information Policy to include the anti-gag provision.

Revise HUD’s Controlled Unclassified Information Policy to state that (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

Implement a plan to annually survey all HUD program offices to identify nondisclosure policies, forms, and agreements issued and to determine whether they include the anti-gag provision as required by WPEA and, as necessary, to take corrective action to ensure that they include the anti-gag provision.

Communicate across HUD that (a) HUD employees are required to include the anti-gag provision in nondisclosure policies, forms, and agreements applicable to HUD employees and (b) program offices should consider requiring their employees to request OGC assistance when implementing and enforcing nondisclosure policies, forms, and agreements applicable to HUD employees.

Revise the Ginnie Mae Confidential Information Policy to state that in the future, (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

Review whether potential violations of the Antideficiency Act took place because of implementing or enforcing any nondisclosure policies, forms, or agreements that do not include the anti-gag provision as required by law. If it is determined that a violation occurred, the Chief Financial Officer should take disciplinary actions as appropriate and report the identified violations to the oversight authorities, including the HUD Secretary, the President, the Office of Management and Budget, Congress, and the Comptroller General.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD provided a corrective action plan for this recommendation in May 2025. The planned corrective action requires the agency to acquire a data management system, develop cataloging standards, and coordinate with the program offices stated in the recommendation to ensure data is handled in a secure manner. The procurement process has not yet begun, yet in their initial plans, HUD will require vendor support to develop this tool. The estimated completion date of this recommendation is September 2027.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-03 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.