| AUD-2025-007-1 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should develop and implement a plan for strong user authentication controls for all external access to the CSP website in coordination with the new owner of the CSP website, the Office of Affordable Housing and Community Investment.
|
| AUD-2025-007-2 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should restrict access to member bank submission forms and associated documents to only authenticated and authorized users.
|
| AUD-2025-007-3 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should prevent unauthorized access to internal, CUI, and non-public files through parameter modification in the URL.
|
| AUD-2025-007-4 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should remove technical and system level information from public-facing code and pages, including references to internal applications, backend functions, and programming details.
|
| AUD-2025-007-5 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should configure all error messages to suppress internal application details and display only user-appropriate messages.
|
| AUD-2025-007-6 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should immediately remove all publicly accessible documents containing CUI and review published content for compliance with FHFA’s CUI policy.
|
| AUD-2025-007-7 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should establish a formal content review and approval process for all documents and content posted to public-facing websites, including checks for CUI data.
|
| AUD-2025-007-8 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should deploy monitoring and alerting tools to detect unauthorized logins, document access attempts, or suspicious activity on the CSP website.
|
| AUD-2025-007-9 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should segregate public-facing applications from internal networks by re-architecting the CSP website to isolate external access from internal file storage, databases, and infrastructure.
|
| AUD-2025-007-10 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should ensure that the security control assessor conducts a comprehensive control assessment that evaluates all components, including the CSP website.
|
| AUD-2025-007-11 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should reassess the current ATO for the CSP system based on an updated and accurate authorization package and document the resulting authorization decision.
|
| AUD-2025-007-12 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should update and approve the SSPP to accurately reflect the system’s identification and authentication methods for each user type, describe how the system collects PII, and document that a PIA was completed.
|
| AUD-2025-007-13 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should update the PIA to describe how external users access the system, including the security and privacy controls for securing non-public information, in coordination with the Senior Agency Official for Privacy.
|
| AUD-2025-007-14 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should designate a responsible system owner for the CCTV website to ensure it is actively maintained, in coordination with the appropriate FHFA office.
|
| AUD-2025-007-15 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should immediately remove public internet access to the CCTV website or restrict access through network-based controls such as virtual private network or internet protocol allow listing, ensuring it is only accessible by authorized internal users.
|
| AUD-2025-007-16 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should update FHFA’s public-facing system inventory to include all externally accessible websites and services and establish procedures to validate inventory accuracy on a recurring basis.
|
| AUD-2025-007-17 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should apply system hardening measures to the CCTV website by (a) disabling or restricting non-essential ports and services, (b) limiting access to only necessary functionalities, and (c) removing or protecting exposed API from unauthorized use.
|
| AUD-2025-007-18 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should enforce authentication and access control by (a) implementing account lockout after a defined number of failed login attempts, (b) enabling logging and alerting for authentication events, and (c) requiring multifactor authentication for administrative or remote access, if supported.
|
| AUD-2025-007-19 |
No |
$0 |
$0 |
|
|
FHFA's Chief Information Officer should remediate vulnerabilities by (a) applying all available software and firmware updates to the CCTV platform, (b) replacing or renewing expired website security certificates, and (c) conducting a secure code review to identify and remove hardcoded credentials or unsecure configurations.
|
