TRACS Rules of Behavior, the CyberAwareness Challenge

& EIV Rules of Behavior, What Generates a MOR Finding

In December of 2020, HUD published new guidance for security training entitled TRACS External Users Access and Security Training Requirements

Of note, HUD clarifies that TRACS coordinators and users who have not already completed the Cyber Awareness Challenge within the last year must complete the Cyber Awareness Challenge within 30 days of signing the TRACS ROB. 

See Page 3. “Current user(s) or coordinator(s) must complete Security Awareness Training annually. If the Cyber Awareness Challenge has not been completed within the last 12 months, it must be completed within 30 days of accepting the TRACS ROB.” 

We have heard from many owner/agents that MOR Reviewers have been issuing MOR findings when the Cyber Awareness Challenge was completed more than 30 days from the date the TRACS ROB was generated and signed even if the Cyber Awareness Challenge was completed within the last year.  

HUD's guidance makes it clear that the requirement is to complete the required Security Training either 1) within 12 months before accepting the TRACS ROB or, if the Security Training was not completed in the twelve months before accepting the TRACS ROB, then 2) within 30 days of accepting the TRACS ROB. 

The Rules for the EIV Rules of Behavior (ROB) are not the same as the rules for the TRACS Rules of Behavior. For EIV, there are three ways to complete the EIV Rules of Behavior.

  1. For anyone who is an EIV Coordinator, that person must complete the EIV Coordinator Access Authorization Form (CAAF) and must retain a copy (paper or electronic) executed by the Coordinator and by HUD. A copy must be maintained and made available upon request by HUD or Contract Administrators. The EIV Rules of Behavior (ROB) language is included as part of the CAAF. After the initial CAAF has been completed, the Coordinator requests CAAF recertification annually using the “Coordinator Certification Report” option in EIV. 
  2. For anyone who is an EIV User, that person must complete the EIV User Access Authorization Form (UAAF) and must retain a copy (paper or electronic) executed by the User. A copy must be maintained and made available upon request by HUD or Contract Administrators. The EIV Rules of Behavior (ROB) language is included as part of the CAAF. After the initial UAAF has been completed, the User requests recertification every six months using the “Authorization Form” option in EIV.  
  3. CPAs conducting the HUD financial audit and staff who has access to EIV Reports (tenant files) but does not have access to EIV must complete the EIV Rules of Behavior and must comply with the guidance included on the Rules of Behavior. A copy (paper or electronic) must be maintained and made available upon request by HUD or Contract Administrators. 

EIV Coordinators, EIV Users and people with access to tenant files that contain EIV reports must complete the required Security Training (Cyber Awareness Challenge) annually.