FHFA’s Chief Information Officer should identify and implement a solution, in coordination with vendors, to ensure multifactor authentication is required for privileged users to access FHFA’s cloud environment. If there are no viable solutions, document any risk-based decisions, including compensating controls.