Revise HUD’s Controlled Unclassified Information Policy to include the anti-gag provision.

Revise HUD’s Controlled Unclassified Information Policy to state that (a) nondisclosure forms and agreements must include the anti-gag provision as required by law and (b) confidentiality clauses in personnel settlement agreements must include the anti-gag provision if the clause restricts disclosure of any other information beyond the terms and conditions of the agreement itself.

HUD’s Privacy Office should require program offices to periodically review systems in all environments (testing, development, production) for unnecessary disclosure of personally identifiable information (PII).

The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD is working on a plan to address the recommendation. HUD OIG anticipates receiving a corrective action plan no later than April 11, 2025, with a plan for resolving this recommendation.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-003 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

We recommend that the General Deputy Assistant Secretary, Office of Policy Development and Research, and the Deputy Chief Information Officer, Office of the Chief Information Officer develop the project management documents, as required by HUD’s Project Planning and Management Life Cycle V2.0 policy, including obtaining required approvals and ensuring that an adequate project risk management process is established for identifying, analyzing, and responding to project risks.

We recommend that the General Deputy Assistant Secretary, Office of Policy Development and Research; the Deputy Chief Information Officer; and the Director, Office of Disaster Recovery, identify and incorporate at least one additional data source into the Disaster Recovery Data Portal to further assist grantees with duplication of benefits assessments.

We recommend that the Chief Procurement Officer update HUD’s field service manager contract monitoring plan and FSM qualitative monitoring databases used to monitor contractor performance to align with the QASP and contractual requirements as noted in recommendation 1G below.

Ensure there are resources available for further development of geocoding services that fulfill HUD’s responsibilities stated in 43 U.S.C. § 2808(a)(5) and 43 U.S.C. § 2808(a)(12) through the reactivation of the lapsed Geocode Service Center contract.

Ensure that future policies and guidance developed to return HUD’s offices to normal operations include the specific criteria, metrics, and defined geographic area to be used by all offices as applicable.

Develop and implement sufficient policies and controls to ensure that (1) applicable criteria in any future guidance are met and all safety measures are sufficiently completed before returning HUD’s offices to normal operations and (2) sufficient documentation is maintained to support that the applicable criteria were met.

We recommend that HUD’s Chief Administrative Officer implement the corrective actions and internal process improvements in internal control developed as a result of the Chief Financial Officer’s investigation addressed in recommendation 1A.

We recommend that HUD’s Chief Administrative Officer provide training to responsible staff and officials to ensure that those that may be involved with negotiating any GSA rent credits, like the credits addressed in this report, identify such potential rent credit transactions and follow the corrective actions and process improvements implemented to resolve recommendation 1B.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Take appropriate actions to prioritize the need for resources necessary to ensure that HUD fully implements the remaining four responsibilities as required by sections 759(a)(1), 759(a)(2), 759(a)(4), and 759(a)(5) of the Geospatial Data Act of 2018.

Designate a Senior Agency Official for Records Management at the Assistant Secretary level or its equivalent.

Update and issue agency formal records policy, including detailed procedures and requirements for completing and maintaining program office and agencywide inventories of systems, records, and PII.

Update and obtain final NARA approval of all HUD records retention schedules, including the Capstone email schedule, to comply with Federal requirements, including OMB M-19-21.

Develop and approve an enterprise strategy to meet all M-19-21 electronic transition requirements.