Develop and implement additional subrecipient monitoring training and guidance for all ESG grantees.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity update protocols to promote consistent expectations for timely supervisory, legal, and headquarters reviews of complex cases.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update the MOUs with OGC for each region to identify and remove inefficiencies that can lead to longer FHEO investigation times and OGC review times and identify best practices that can be implemented across all regions.

We recommend that HUD’s Deputy Assistant Secretary for Fair Housing and Equal Opportunity review and update investigative processes followed by each regional office to identify best practices that can be implemented across all regions and identify and remove inefficiencies that can lead to longer investigation times.

Implement a process to identify teleworkers most at risk of receiving incorrect locality payments, verify that their official duty stations are correct and they are reporting to their official duty stations as required, and if necessary, correct their locality payments.

HUD OCIO should a) resolve the conflicts between its Inventory of Automated Systems (IAS) policy and web applications policy to clarify if web applications will be inventories in IAS, the web application Sharepoint site, or both; and b) implement the chosen resolution to this conflict to develop a consistent inventory of web applications (IG FISMA metric 1).

HUD OCIO should implement an automated governance, risk, and compliance tool to manage risk from all sources across the three tiers of the organization in a timely manner. This recommendation updates FY 2021 FISMA recommendation number 5 (IG FISMA metrics 5, 9, and 10).

HUD OCIO should employ automation to maintain a timely and accurate view of security configuration information for all systems connected to its network (IG FISMA metric 20).

HUD OCIO should demonstrate that it can implement its defined security responses if a baseline configuration is changed without authorization. This can be shown by either a response to a real incident if one happens or through a testing exercise if there are no applicable incidents (IG FISMA metric 23).

HUD OCIO should review its security training program and determine whether it should provide general cybersecurity awareness training to external users of its systems and data (IG FISMA metric 44).

Housing should include zero trust requirements as part of the Housing Strategic Roadmap for Housing Modernization.

Housing should refine access controls within the FHA Catalyst modules that are dynamic, are tailored to user actions, and require continuous reauthentication to ensure that users have access only to information needed.

Housing should coordinate with HUD’s SOC to a. Ensure that FHA Catalyst user behavior monitoring logs are regularly captured and adequately reviewed for discrepancies in user activities. b. Establish program office responsibility for the log review process.  

We recommend that the Director, Office of Disaster Recovery, perform monitoring of or otherwise review grantees’ detailed procedures for preventing duplication of benefits for each grant activity within the first year after HUD signs the grant agreement or before grantees process applications for assistance, whichever occurs first.

We recommend that the Director, Office of Disaster Recovery, develop and implement a process to review grantees’ detailed procedures for preventing duplication of benefits and require grantees to correct any deficiencies identified in the review before grantees process applications for assistance.

We recommend that the Director, Office of Disaster Recovery, for future grants, develop and implement procedures to ensure that all applicable requirements for preventing any duplication of benefits are included in the adequacy criteria, grantee certifications, and HUD review checklists supporting the certification.

We recommend that the Deputy Assistant Secretary instruct PRDOH to implement a process to regularly conduct fraud risk assessments and determine a fraud risk profile. The fraud risk profile should include key findings and conclusions from the risk assessment, including the analysis of the types of fraud risks, their perceived likelihood and impact, risk tolerance, and the prioritization of risks.

We recommend that the Deputy Assistant Secretary instruct PRDOH to improve fraud awareness initiatives, such as participating in organized antifraud conferences, reviewing the OIG’s Special Fraud Alerts, Bulletins, and Other Guidance, and attending fraud risk training tailored to the program’s fraud risk profile (including subrecipients).

We recommend that the Deputy Assistant Secretary for Grant Programs evaluate PRDOH’s risk exposure and tolerance as part of HUD’s program-specific fraud risk assessment for disaster grant programs.

We recommend that the Deputy Assistant Secretary for Grant Programs coordinate with HUD’s Chief Risk Officer to (1) provide training and technical assistance to PRDOH with a focus on the design, implementation, and performance of fraud risk assessments, and (2) establish a fraud risk management framework for the organization.