FHFA’s Chief Information Officer should develop a Plan of Action and Milestones to track the remediation of past due Cybersecurity and Infrastructure Security Agency Known Exploitable Vulnerabilities in accordance with Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022). FHFA’s Office of Technology and Information Management should implement compensating controls (i.e., isolating systems with un-remediated vulnerabilities) to mitigate the risk of the vulnerabilities.