Audit of the Federal Housing Finance Agency’s Information Security Programs and Practices Fiscal Year 2025

View Report

Date Issued

Wednesday, July 30, 2025

Submitting OIG

Federal Housing Finance Agency OIG

Agencies Reviewed/Investigated

Federal Housing Finance Agency

Report Number

AUD-2025-004

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
AUD-2025-004-1	No	$0	$0
FHFA’s Chief Information Officer should establish and implement guidance for performing National Institute of Standards and Technology Cybersecurity Framework 2.0 activities through policies and procedures.
AUD-2025-004-2	No	$0	$0
FHFA’s Chief Information Officer should ensure that Privileged Account Request eWorkflows are fully completed and approved for all privileged FHFA General Support System user accounts prior to granting access.
AUD-2025-004-3	No	$0	$0
FHFA’s Chief Information Officer should ensure all applicable Organizational Units are included in the automated process that disables inactive accounts after 35 days.
AUD-2025-004-4	No	$0	$0
FHFA’s Chief Information Officer should disable inactive Active Directory accounts after a period of 35 days of inactivity.
AUD-2025-004-5	No	$0	$0
FHFA’s Chief Information Officer should create a Plan of Action and Milestones to establish when the annual Disaster Recovery Procedures for FHFA Production Systems exercise will be conducted and when the new system owners will be assigned and trained on their roles and responsibilities related to FHFA General Support System, Office of General Counsel Matter Management Tracking System, and the FHFA Status Tracking and Reporting system.
AUD-2025-004-6	No	$0	$0
FHFA’s Chief Information Officer should schedule and conduct an annual Disaster Recovery Procedures for FHFA Production Systems exercise for the FHFA General Support System, Office of General Counsel Matter Management Tracking System, and the FHFA Status Tracking and Reporting system, and ensure new system owners are trained to execute them.