Open Recommendations

(U) Rec. A.3.a: The DoD OIG recommended that the Under Secretary of Defense for Policy issue policy for the assessment, monitoring, and evaluation of global health engagement activities that includes the recommendations from the Deputy Assistant Secretary of Defense (Global Partnerships) proposed in response to Recommendation A.2. The policy should establish criteria to determine which global health engagement activities require assessment, monitoring, and evaluation, and identify the DoD entities, roles, and responsibilities for the required Assessment, Monitoring, and Evaluation of Global Health Engagement activities.

(U) Rec. A.3.b: The DoD OIG recommended that the Under Secretary of Defense for Policy issue policy for the assessment, monitoring, and evaluation of global health engagement activities that includes the recommendations from the Deputy Assistant Secretary of Defense (Global Partnerships) proposed in response to Recommendation A.2. The policy should define which global health engagement activities are security cooperation activities and subject to the requirements in DoD Directive 5132.03, "DoD Policy and Responsibilities Relating to Security Cooperation."

(U) Rec. A.3.c: The DoD OIG recommended that the Under Secretary of Defense for Policy issue policy for the assessment, monitoring, and evaluation of global health engagement activities that includes the recommendations from the Deputy Assistant Secretary of Defense (Global Partnerships) proposed in response to Recommendation A.2. The policy should identify the sources of funding available for the required Assessment, Monitoring, and Evaluation of Global Health Engagement activities.

(U) Rec. A.3.d: The DoD OIG recommended that the Under Secretary of Defense for Policy issue policy for the assessment, monitoring, and evaluation of global health engagement activities that includes the recommendations from the Deputy Assistant Secretary of Defense (Global Partnerships) proposed in response to Recommendation A.2. The policy should identify the component(s) responsible for ensuring the global health engagement workforce is appropriately sized and has the required skills, training, and competencies to plan, conduct, assess, monitor, and evaluate global health engagement activities.

(U) Rec. B.2: The DoD OIG recommended that the Director of the Defense Security Cooperation Agency, informed by the written proposal from the Deputy Assistant Secretary of Defense for Global Partnerships developed in the response to Recommendation B.1, develop and implement the following four functions for global health engagement .activities into Socium: * Alignment of global health engagement activities to campaign objectives; * A common operational picture that includes global health engagement activities; * Interfacing with the Concept and Funding Request system and the Overseas Humanitarian Assistance Shared Information System; and * Functions that enable assessment, monitoring, and evaluation of…

HUD OCIO should implement a process to consistently update and maintain its inventory of hardware assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized hardware assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should implement a process to consistently update and maintain its inventory of software assets and ensure that the inventory is consistent with the automated discovery scans used to perform vulnerability, configurations, and continuous diagnostics and mitigation scans and use this inventory to consistently remove unauthorized software assets from the HUD network (IG FISMA metrics 2, 20, and 21).

HUD OCIO should update its software inventory policies and procedures to account for critical software as defined by EO 14028 (IG FISMA metrics 3 and 21).

HUD OCIO should implement policies and procedures to maintain inventories of critical software and software licenses, critical software platforms, and all software installed on critical software platforms (both critical software and noncritical software) and use the inventory of critical software platforms and all software installed on them to ensure that only supported versions of software are used on those critical software platforms (IG FISMA metrics 3 and 21).

HUD OCIO should in coordination with the Chief Risk Officer (CRO), document cybersecurity risk management roles and responsibilities in a consolidated list and; define procedures to hold personnel accountable to their assigned roles in the consolidated list (IG FISMA metric 7)

HUD OCIO should consistently implement personnel accountability procedures to ensure that assigned cybersecurity risk management roles are being performed in an effective manner (IG FISMA metric 7).

HUD's Office of the Chief Financial Officer (OCFO), in coordination with other appropriate program offices, should define and implement a risk-based process to assess and document IT risk management personnel resourcing needs and that those personnel are allocated effectively to support HUD's risk management program (IG FISMA metric 7).

HUD OCFO, in coordination with other appropriate program offices, should define and implement a process to document and allocate non-personnel risk management resources in a risk-based manner, to include but not limited to funding, processes, and technology (IG FISMA metric 7).

HUD OCIO should ensure that external systems, such as cloud systems and cloud service providers, have and maintain configuration management plans that are consistent with HUD's defined configuration management requirements (IG FISMA metric 19).

HUD OCIO should define and implement metrics to monitor the effectiveness of ICAM program activities and assist in identifying areas for improvement (IG FISMA metric 26).

HUD OCIO should develop a comprehensive ICAM policy, strategy, process, and technology solution roadmap, including milestones, budget estimates, and appropriate technology solution details (IG FISMA metric 27). This recommendation replaces FY 2020 FISMA recommendation 11.

HUD OCIO should define policies and guidance for the use of system-specific access agreements (IG FISMA metric 29).

HUD OCIO should develop a plan that includes milestones and funding requirements for implementing phishing-resistant MFA for all users in alignment with Federal requirements (IG FISMA metrics 30 and 31).

HUD OCIO, in coordination with other appropriate HUD offices, should define and communicate policies and procedures for use of MFA at HUD facilities (IG FISMA metrics 30 and 31).

HUD OCIO should define a plan to meet the logging requirements at all event logging maturity levels (basic, intermediate, advanced) in accordance with OMB M-21-31. This plan should include logging sufficient to allow for reviewing privileged user activities (IG FISMA metrics 32 and 54).

HUD OCIO should develop and implement monitoring and enforcement procedures to ensure that non-GFE devices (for example, BYOD), such as those owned by contractors or HUD employees, are either: (a) prohibited from connecting to the HUD network; or (b) properly authorized and configured before connection to the HUD network (IG FISMA metrics 2, 21, and 33).

HUD OCIO should develop and implement procedures and contract terms to enforce forfeiture of non-GFE devices (for example, BYOD), to allow for analysis when security incidents occur (IG FISMA metrics 33 and 55).

HUD OCIO should define a process and assign responsibility to evaluate the effectiveness of its incident response technologies and adjust configurations and toolsets to improve the incident response program (IG FISMA metric 58).

HUD OCIO should update its enterprisewide business impact prioritization analysis procedures to include system dependencies and the characterization of system components (IG FISMA metric 61).

Update the EAC Procurement Handbook to reflect current requirements in the Federal Acquisition Regulation.

Complete contractor performance evaluations for all nonexpired internal contracts.

Record the required procurement information for all nonexpired internal contracts in the Federal Procurement Data System.

Implement a process to ensure timely and accurate reporting of contractual obligations to the Federal Procurement Data System.

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the PuertoRico DOE to reallocate the $2.5 million in unallowable indirect costs charged to the Restart program grant.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to ensure that a purchasing officer assesses whether equipment purchases should be capitalized using the requirements established in 2 C.F.R. 200.1, the Department’s indirect costs agreements, and Regulation 11 “Basic Rules for the Control and Accounting of Fixed Assets,” (December 2005)

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to complete its process of identifying schools in need of technology equipment and redistribute the 215 technology equipment devices as appropriate

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to work with school staff and teachers to find the 21 technology equipment devices that are missing and follow the procedures in the Mobile Devices Management Guide to report the missing equipment to the police, if necessary.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to review and update written policies and procedures for the management of fixed assets and mobile equipment devices to ensure that educational regional offices and schools properly manage surplus technology equipment.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to perform a comprehensive physical inventory of technology equipment devices purchased with Restart program funds and ensure that the devices are being used, appropriate guidance as updated per Recommendation 2.3 is followed to manage any surplus and missing equipment, and the technology equipment inventory system and pertinent inventory records are updated accordingly.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to determine the total amount of payroll payments incorrectly made using Restart program funds and reallocate any unallowable amount to the Restart program grant.

We recommend that the Assistant Secretary for the Office of Elementary and Secondary Education require the Puerto Rico DOE to ensure that staff maintain and manage documents supporting activities funded with Federal education program grants so that records are readily available when needed.

OIG recommends that the Bureau of Overseas Buildings Operations, in coordination with the Bureau of Administration, develop, implement, and communicate a process to ensure that Project Directors for construction projects prepare independent government cost estimates that consider the impact that the modification will have on the overall schedule of the project to determine if extensions are justified. At a minimum, the process should include clarification of individual responsibilities and accountability.

OIG recommends that the Bureau of Overseas Buildings Operations (OBO) develop, implement, and communicate a process to ensure a separation of duties between OBO staff who receive the price proposal for a request for equitable adjustment related to a construction project and OBO staff who develop the independent government cost estimate for the construction project. At a minimum, the process should include clarification of individual responsibilities and accountability.

OIG recommends that the Bureau of Administration, in coordination with the Bureau of Overseas Buildings Operations, develop, implement, and communicate a process to ensure that Contracting Officers prepare prenegotiation objectives for modifications to construction projects of more than $25,000 and that Project Directors do not revise independent government cost estimates during or after negotiations in accordance with the Federal Acquisition Regulation and Department of State policy. At a minimum, the process should include guidance on documenting fair and reasonable pricing and any schedule extensions for the modification and a clarification of individual responsibilities and accountability.

OIG recommends that the Bureau of Administration, in coordination with the Bureau of Overseas Buildings Operations, develop, implement, and communicate a process to ensure that Project Directors for construction projects conduct and document price negotiations in accordance with the Federal Acquisition Regulation and Department of State policy. At a minimum, the process should include guidance on documenting fair and reasonable pricing and any schedule extensions for the modification and a clarification of individual responsibilities and accountability.

OIG recommends that the Bureau of Overseas Buildings Operations develop, implement, and communicate a process to ensure that Project Directors comply with the Construction Management Guides process for all reporting requirements, including daily logs. At a minimum, the process should include clarification of individual responsibilities and accountability.

OIG recommends that the Bureau of Overseas Buildings Operations develop, implement, and communicate a process to ensure that Project Directors comply with the Construction Management Guides requirement for developing and distributing a project procedures manual. At a minimum, the process should include clarification of individual responsibilities and accountability.

Develop and provide training to Executive and Corporate Managers on the change management process and in developing and employing change management strategies and plans.

We recommend the Acting Director of U.S. Immigration and Customs Enforcement’s Health Services Corps develop and implement a policy requiring Regional Clinical Directors and Clinical Directors to document their review and approval of major surgical procedures in IHSC’s electronic health records system to ensure medically necessary and appropriately documented medical care for detained non-citizens.

We recommend that the Deputy Secretary Develop and execute a detailed plan and timeline for both testing and reporting estimates of improper payments in the PIH-TBRA and PBRA programs in compliance with Federal law and OMB guidance.

Status