The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

HUD OCIO should identify needs to address Federal requirements by performing a gap analysis on its zero trust architecture strategic plan.

HUD OCIO should establish a zero trust architecture implementation plan that includes milestones and resources to address all zero trust pillars.

HUD OCIO should develop system policies and procedures for dynamic access controls that include just-in-time and just-enough access tailored to individual actions and individual resource needs.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

HUD OCIO should capture risks that are associated with zero trust architecture implementation and document these risks in its risk register.

Revise HUD’s Controlled Unclassified Information Policy to include the anti-gag provision.

Revise HUD’s Controlled Unclassified Information Policy to state that (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

Review whether potential violations of the Antideficiency Act took place because of implementing or enforcing any nondisclosure policies, forms, or agreements that do not include the anti-gag provision as required by law. If it is determined that a violation occurred, the Chief Financial Officer should take disciplinary actions as appropriate and report the identified violations to the oversight authorities, including the HUD Secretary, the…

Implement a plan to annually survey all HUD program offices to identify nondisclosure policies, forms, and agreements issued and to determine whether they include the anti-gag provision as required by WPEA and, as necessary, to take corrective action to ensure that they include the anti-gag provision.

Communicate across HUD that (a) HUD employees are required to include the anti-gag provision in nondisclosure policies, forms, and agreements applicable to HUD employees and (b) program offices should consider requiring their employees to request OGC assistance when implementing and enforcing nondisclosure policies, forms, and agreements applicable to HUD employees.

Revise the Ginnie Mae Confidential Information Policy to state that in the future, (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

Review the non-life-threatening health and safety and other deficiencies observed by the audit team and ensure that property owners and agents make the necessary corrections to the deficiencies as appropriate.

Provide training to field staff members to ensure that they have the skills necessary to complete MORs of converted properties.

Review the reserve for replacement account balances for the 13 properties (11 underfunded and 2 overfunded) to determine whether the balances are maintained in accordance with the applicable HUD requirements and executed HUD business documents and require owners to fully fund any underfunded reserves and determine whether any overfunded accounts should have the deposits suspended for a specified period.

Review the HUD business documents, such as the RAD conversion commitment, HAP contract, and regulatory agreement, for the four properties that did not contain consistent reserve for replacement information and update the documents to be consistent as appropriate.

Issue guidance to RAD property owners clarifying that the owner is responsible to follow both the HUD business documents and the property’s business documents and that the most restrictive document indicates the amount and timing of the annual deposits into the reserve for replacement account.

Develop and implement a process to ensure that the reserve for replacement requirements in HUD’s business documents are consistent for all converted properties.

Develop and implement a plan to review the reserve for replacement accounts for all converted properties from the date on which the account was established to the date of the review. Based on the reviews completed, HUD should take appropriate actions to ensure that reserve for replacement accounts are appropriately funded or determine whether overfunded accounts should have the deposits suspended for a specified period.

Implement adequate procedures and controls to ensure that servicing lenders comply with HUD time requirements in scheduling initial inspections of FHA-insured RAD PBV properties.