For the MF-RAP, PIH-TRA, and CPD-HIM programs, ensure that the program's improper payments rate estimates adequately test for and include improper payments of Federal funding that are made by State, local, and other organizations administering these programs and adequately disclose any limitations imposed or encountered when reporting on improper payments, to a degree that fairly informs users of the respective reported information.

Provide documentation to support that program activities within NHSLA’s interfund were for eligible NSP2 activities or repay the program $3,425,679 from non-Federal funds.

Return the outstanding balance of $529,745 owed to NSP2. In addition, cease the practice of depositing NSP2 funds in non-NSP2 accounts and making them available to be used or borrowed for non-NSP2 activities.

Provide documentation to support that $658,261 in loan proceeds was used for an eligible NSP2 activity or property or repay the program from non-Federal funds.

Provide documentation to support that $500,000 in NSP funds transferred to the revolving loan fund was used for an eligible NSP2 activity or property or repay the program from non-Federal funds.

Amend the NSP2 action plan to include its revolving loan fund.

Adjust program income calculation methodology to ensure it is in accordance with HUD requirements.

Submit overdue NSP2 quarterly reports to DRGR and update prior reports that did not accurately report program income activity.

Provide adequate documentation to support its administrative and project delivery cost expenditures or repay the program $1,388,545 from non-Federal funds.

Provide supporting documentation to show whether the outstanding liability of $324,478 is correctly classified as an NSP2 liability. If not, HUD should ensure that NHSLA corrects its NSP2 cost reimbursement summary for the 12 months ending June 30, 2018, to reclassify the expenses to a non-NSP2 program. Such funds would be considered funds to be put to better use.

Obtain training to ensure that it understands NSP2 regulations and requirements related to payroll allocation for its administrative and project delivery costs and program income calculation methodology to ensure it properly computes the amount it is allowed to charge for administrative costs.

Support the reasonableness of the South Gate contract or repay NSP2 $856,692 from non-Federal funds.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.