Audit of the Federal Housing Finance Agency’s Information Security Programs and Practices Fiscal Year 2023

View Report

Date Issued

Thursday, July 27, 2023

Submitting OIG

Federal Housing Finance Agency OIG

Other Participating OIGs

Federal Housing Finance Agency OIG

Agencies Reviewed/Investigated

Federal Housing Finance Agency

Report Number

AUD-2023-004

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 7 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
AUD-2023-004-1	No	$0	$0
FHFA should update FHFA’s Supply Chain Risk Management Strategy to include past due OMB M-22-18 requirements including: i. Obtaining a self-attestation from the software producer before using the software; ii. Obtaining from software producers artifacts that demonstrate conformance to secure software development practices, as needed; iii. Establishing a system to store self-attestation letters from the software producer that are not publicly available in a central location; andiv. Assessing and developing training for reviewing and validating self-attestation letters.
AUD-2023-004-2	No	$0	$0
FHFA should consider request for an extension or waiver in accordance with OMB M-22-18 and/or OMB M-23-16 if FHFA is unable to meet the requirements in OMB M-22-18 and/or OMB M-23-16 in a timely manner. If FHFA requests a waiver, FHFA should consider documenting a risk-based decision, and document any compensating controls.
AUD-2023-004-3	No	$0	$0
FHFA should remediate past due exploitable vulnerabilities in accordance with CISA’s BOD 22-01 and the OTIM Vulnerability Management Process.
AUD-2023-004-4	No	$0	$0
FHFA should develop POA&Ms to track the remediation of past due CISA known exploitable vulnerabilities that cannot be remediated in a timely manner (within 14 days) in accordance with CISA’s BOD 22-01 and OTIM Vulnerability Management Process. Consider implementing compensating controls (i.e., isolating systems with un-remediated vulnerabilities) to mitigate the risk of the vulnerabilities.
AUD-2023-004-5	No	$0	$0
FHFA should mplement requirements across all EL maturity tiers to ensure events are logged and tracked in accordance with OMB M-21-31.
AUD-2023-004-6	No	$0	$0
FHFA should identify and implement solutions, in coordination with vendors, where a solution does not exist for systems to natively forward event logs to the SIEM tool. If there are no viable solutions, perform a risk assessment and cost benefit analysis. Based on the risk assessment, document any risk-based decisions, including compensating controls, for systems not in compliance with OMB M-21-31.
AUD-2023-004-10	No	$0	$0
FHFA should update the Disaster Recovery Procedures for FHFA Production Systems to include JPP and its servers, and ensure they are included in the annual contingency testing.