The CDO should coordinate with HUD’s Records Office, Privacy Office, and program offices to develop data policies and procedures for data inventory, categorization, and labeling in support of zero trust architecture.

Status

HUD is working on a plan to address the recommendation. HUD OIG anticipates receiving a corrective action plan no later than April 11, 2025, with a plan for resolving this recommendation.

Analysis

By addressing the recommendation, HUD will be positioned better to protect and prioritize protection for data in its IT systems. This will allow HUD to have a better understanding of the specifics of the most sensitive data as well as allow recommendation 2024-OE-0002a-003 to be addressed by HUD.

HUD maintains billions of records of PII and sensitive data within IT systems and the IT environment. Knowing more specifics about the data is essential in the ability to protect and recover from attempted exfiltration attempts.

PIH in coordination with other HUD offices as necessary, research and address potential causes of the variance in the number of EBLL cases among States on the EBLL tracker and identify solutions that are within HUD's control.

Status

As of November 13, 2024, the PIH Office of Field Operations (OFO) had completed its outreach data collection and identified 9 public housing authorities that had not completed the required EBLL reporting actions and that OFO informed the field office directors overseeing the appropriate PHAs that they had until November 6, 2024, to upload the proper information to the trackers. As of January 29, 2025, OFO field office directors and their staff were still updating and inputting EBLL cases and relevant documentation into the EBLL tracker due to delays in responses from PHAs. The estimated completion date is February 28, 2025.

Analysis

To fully address this recommendation, OFO must provide evidence that it coordinated with other HUD offices and identified the causes of the variances in the number of EBLL cases among states on the EBLL tracker. OFO must also demonstrate that it fully remedied the causes of the variances. Alternatively, OFO must provide an explanation sufficient to support a claim that it could not identify the causes of the variances or develop and implement solutions for problems it identified in its research.

Implementation of this recommendation will result in improved HUD data of EBLL cases of children living in public housing across the country. Accurate reporting of EBLL cases to HUD is essential so that HUD can ensure PHAs take effective environmental interventions that help prevent additional lead exposure.

Update HUD regulations, policies, and procedures following the regulatory process required by the amended Lead Safe Housing Rule, in consideration of CDC’s lowered BLRV of 3.5 ug/dL.

Status

On June 12, 2024, the Office of Lead Hazard Control and Healthy Homes informed HUD OIG that the draft Federal Register notice of its request for information from Lead Safe Housing Rule stakeholders and the general public on its proposal to adopt CDC's BLRV of 3.5 µg/dL as its EBLL under the rule has been circulated for OGC and preclearance review, which will be followed by Departmental clearance. OLHCHH plans on publishing the Federal Register notice by June 30, 2024, with a 60-day comment period. OLHCHH will provide the link and the link and the notice once it is published. OLHCHH will then review public comments in preparing to decide whether to change the rule's current level, and if so, to what level.

The Office of Lead Hazard Control and Healthy Homes estimated this will be completed by June 30, 2024.

Analysis

To fully address this recommendation, OLHCHH must provide evidence that it has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered BLRV of 3.5 ug/dL.

Alternatively, OLHCHH must establish that its research led it to determine that environmental interventions in cases of children with EBLLs between 3.5 and 4.9 µg/dL were ineffective in reducing the children’s blood lead levels and that lowering HUD’s EBLL regulation to 3.5 µg/dL is unnecessary.

Implementation of this recommendation will help ensure children living in public housing with EBLLs receive effective environmental interventions.

Define and communicate policies and procedures to ensure that its products, system components, systems, and services comply with its cybersecurity and SCRM requirements. This recommendation includes:

• Identification and prioritization of externally provided systems (new and legacy), components, and services.
• How HUD maintains awareness of its upstream suppliers.
• The integration of acquisition processes tools, and techniques to use the acquisition process to protect the supply chain.
• Contract tools or procurement methods to confirm that contractors are meeting their obligations (derived from OIG FISMA metric 14).

Status

On January 17, 2025, the Office of Lead Hazard Control and Healthy Homes (OLHCHH) informed HUD OIG that the Office of the Federal Register published a notice, Modifying HUD’s Elevated Blood Lead Level Threshold for Children Under Age 6 Who Are Living in Certain HUD-Assisted Target Housing Covered by the Lead Safe Housing Rule. The notice announced that HUD is lowering its EBLL threshold from 5 to 3.5 µg/dL for a child under the age of 6, consistent with the CDC’s current blood lead reference value of 3.5 µg/dL, effective January 17, 2025. Next, OLHCHH will assist the Office of Community Planning and Development, the Office of Multifamily Housing Programs, and the Office of Public and Indian Housing to draft, circulate, and publish EBLL notices. The estimated completion date is June 30, 2025.

Analysis

To fully address this recommendation, OLHCHH must provide evidence that it has updated its regulations, policies, and procedures so that they are consistent with CDC’s lowered blood lead reference value of 3.5 ug/dL.

Implementation of this recommendation will help ensure children living in public housing with elevated blood lead levels receive effective environmental interventions.

Evaluate IT acquisition process workflows and identify ways to simplify the processes, facilitate more effective stakeholder coordination across offices, and create efficiencies when possible.

Status

The Office of the Chief Procurement Officer (OCPO) had agreed to an estimated completion date of March 2024. In November 2024, OCPO submitted additional evidence for closure; however, the evidence did not identify how the revisions to the process will address efficiency issues. The OIG requested further information that identifies improvements in the IT acquisition process.

Analysis

To fully address this recommendation, HUD must provide evidence that it has published its standard operating procedures resulting from its evaluation of workflows and efforts to simplify processes and facilitate more effective coordination.

Implementation of this recommendation will result in defined IT acquisition process workflow procedures to increase efficiency and ensure coordination across program offices.

Create and implement a knowledge management strategy, such as developing standard operating procedures, reference sheets, and program office fact sheets.

Corrective Action Taken

OCHCO developed and implemented client profiles for each HUD program office to address knowledge loss and the need for offices to explain or reexplain their mission and functions. The profiles will serve as a central repository to learn about the various programs and missions of HUD and will allow OCHCO staff, other key HUD program office staff, and HUD’s service provider staff to view critical information for each HUD program office.

Develop an enterprise-wide IT modernization strategy that establishes a framework to align with the IT modernization roadmap.

Corrective Action Taken

In January, 2024, HUD provided an OCIO approved an IT Modernization strategy that established a framework that aligned with its IT modernization roadmap. The strategy addressed each of the recommendation components (a. roles and responsibilities, b. prioritization of modernization initiatives, c. coordination process between OCIO and program offices, d. phased approach, and e. how lessons learned will be captured.

Develop and issue a departmentwide policy that notes that radon is a radioactive substance and outlines HUD's requirements to test for and mitigate excessive radon levels in accordance with 24 CFR 50.3(i)(1) and 58.5(i)(2)(i).

Corrective Action Taken

None Given.

Implement a software asset management capability for software and operating systems to ensure that software executes only from the authorized software inventory and all unauthorized software is blocked from executing on HUD's network.

Status

In April 2024, the Office of the Chief Information Officer reported that it was in the process of implementing a software management tool that would allow it to control which software is authorized to access the network. This is the first step to creating rules for allowing only authorized software to be used through HUD's endpoint security software. The final implementation of this new tool is expected by Quarter 2 of FY 2025.

Analysis

To fully address this recommendation, HUD must provide evidence that it has an automated whitelist and it is implemented as per the NIST Special Publication 800-167 or accept the risk and document mitigating measures via a Risk-Based Decision memorandum.

Implementation of this recommendation will result in HUD having the capability to ensure only authorized software is used on HUD’s network based on its software asset listing.

Implement multifactor authentication mechanisms for all nonprivileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address the recommendation, HUD must implement multifactor authentication enterprisewide.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

Implement multifactor authentication mechanisms for all privileged users who access information systems that process, store, or transmit PII.

Status

The Office of the Chief Information Officer reported that it has implemented a new software security solution to implement multifactor authentication, starting with a pilot on 15 FHA systems. In October 2024, HUD received additional funds through the Technology Modernization Fund for this project enterprisewide.

Analysis

To fully address this recommendation, HUD must implement the eICAM plan it developed with the funding it received.

Implementation of this recommendation will result in an enterprise-wide identity and access management solution. Users will be required to use multifactor authentication methods to access HUD data, networks, and devices.

In April 2024, HUD OIG met with HUD OCIO to discuss progress and requirements for closure of this recommendation. In addition, OIG reviewed this recommendation as part of the annual FY 2024 FISMA evaluation in April 2024 and learned from HUD OCIO that that there would be a procedure update that would implement the ingestion and monitoring of all inbound and outbound traffic. The OIG requested to be provided with these procedures when finalized and evidence of implementation on May 1, 2024.

Corrective Action Taken

HUD OCIO updated its Cybersecurity Incident Response Plan and developed more detection and protection mechanisms to monitor network traffic in its IT environment. These mechanisms include anti-malware agents, data loss prevention, endpoint detection and response, firewalls, and intrusion detection and prevention systems. HUD’s SOC also developed standard operating procedures and playbooks for abnormal traffic alerts triggered by the above tools that are posted internally for SOC personnel to utilize. Addressing this recommendation resulted in improvement of HUD’s networking monitoring process by enhancing visibility into network traffic. It also increased HUD’s incident response program capabilities by ensuring that HUD has a plan to monitor traffic and better detect and respond to security incidents. As part of our regular Federal Information Security Act of 2014 (FISMA) assessments, HUD OIG will continue to assess HUD’s incident response effectiveness and threat detection to ensure HUD addresses new and evolving threats.

Enforce the requirement for all HUD web applications and services to be approved by the CIO and ensure OCIO reviews and approves all IT contracts and services agreements dealing with creation or support of web applications or services.

Corrective Action Taken

In January 2023, HUD's Office of the Chief Information Officer developed and released a Web Applications Directive to all HUD program offices. This directive described how web applications are defined, approved, inventoried, and maintained, including processes for tracking, and monitoring such applications.