FHFA’s Chief Information Officer should reevaluate the former Acting Chief Information Officer’s risk acceptance related to portable software programs, and implement security controls to detect and prevent users from downloading and running unapproved software on FHFA’s system in accordance with National Institute of Standards and Technology and FHFA’s Rules of Behavior.