Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
AUD-2024-007-1 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should restrict user access to the folders and files on FHFA’s network in accordance with least privilege principle. | |||||
AUD-2024-007-6 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should ensure that personnel are trained on standard and privileged user FHFA authentication and identification policies. | |||||
AUD-2024-007-7 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should identify and implement a solution, in coordination with vendors, to ensure that multifactor authentication is required to access FHFA’s network. If there are no viable solutions, document any risk-based decisions, including compensating controls. | |||||
AUD-2024-007-9 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should use the secure access method recommended by FHFA’s cloud service provider to access the FHFA cloud environment. | |||||
AUD-2024-007-10 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should identify and implement a solution, in coordination with vendors, to ensure multifactor authentication is required for privileged users to access FHFA’s cloud environment. If there are no viable solutions, document any risk-based decisions, including compensating controls. | |||||
AUD-2024-007-11 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should identify and implement a solution to detect and monitor the transfer of large amounts of data moving across FHFA’s network. | |||||
AUD-2024-007-12 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should identify and implement a solution to detect and prevent controlled unclassified information or personally identifiable information from being transferred outside of FHFA’s network to personal accounts on email and cloud-based storage services. | |||||
AUD-2024-007-13 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should determine whether resources can be made available to implement a data loss prevention system to prevent the exfiltration of controlled unclassified information. | |||||
AUD-2024-007-14 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should reevaluate the former Acting Chief Information Officer’s risk acceptance related to portable software programs, and implement security controls to detect and prevent users from downloading and running unapproved software on FHFA’s system in accordance with National Institute of Standards and Technology and FHFA’s Rules of Behavior. | |||||
AUD-2024-007-15 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should monitor and respond to unauthorized software downloads in accordance with FHFA’s Common Control Plan. | |||||
AUD-2024-007-16 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should identify and secure the resources necessary to remediate identified internal critical, high, and medium exploitable vulnerabilities on the FHFA servers, workstations, and other devices in compliance with Cybersecurity and Infrastructure Security Agency Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022). | |||||
AUD-2024-007-17 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should develop a Plan of Action and Milestones to track the remediation of past due Cybersecurity and Infrastructure Security Agency Known Exploitable Vulnerabilities in accordance with Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022). FHFA’s Office of Technology and Information Management should implement compensating controls (i.e., isolating systems with un-remediated vulnerabilities) to mitigate the risk of the vulnerabilities. | |||||
AUD-2024-007-18 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should prioritize existing Office of Technology and Information Management resources based on the Plan of Action and Milestones to ensure that Cybersecurity and Infrastructure Security Agency Known Exploitable Vulnerabilities are remediated in accordance with Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01 and FHFA’s Office of Technology and Information Management Vulnerability Management Process, Revision 2.7 (September 7, 2022). | |||||
AUD-2024-007-21 | No | $0 | $0 | ||
FHFA’s Chief Information Officer should implement security controls to lock down USB ports so that only authorized USB devices are allowed. |