Vulnerabilities in FHFA’s Public-Facing Systems Risk Unauthorized Access to Non-Public Data

View Report

Date Issued

Thursday, September 25, 2025

Submitting OIG

Federal Housing Finance Agency OIG

Agencies Reviewed/Investigated

Federal Housing Finance Agency

Report Number

AUD-2025-007

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 9 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
AUD-2025-007-1	No	$0	$0
FHFA's Chief Information Officer should develop and implement a plan for strong user authentication controls for all external access to the CSP website in coordination with the new owner of the CSP website, the Office of Affordable Housing and Community Investment.
AUD-2025-007-2	No	$0	$0
FHFA's Chief Information Officer should restrict access to member bank submission forms and associated documents to only authenticated and authorized users.
AUD-2025-007-7	No	$0	$0
FHFA's Chief Information Officer should establish a formal content review and approval process for all documents and content posted to public-facing websites, including checks for CUI data.
AUD-2025-007-10	No	$0	$0
FHFA's Chief Information Officer should ensure that the security control assessor conducts a comprehensive control assessment that evaluates all components, including the CSP website.
AUD-2025-007-11	No	$0	$0
FHFA's Chief Information Officer should reassess the current ATO for the CSP system based on an updated and accurate authorization package and document the resulting authorization decision.
AUD-2025-007-12	No	$0	$0
FHFA's Chief Information Officer should update and approve the SSPP to accurately reflect the system’s identification and authentication methods for each user type, describe how the system collects PII, and document that a PIA was completed.
AUD-2025-007-13	No	$0	$0
FHFA's Chief Information Officer should update the PIA to describe how external users access the system, including the security and privacy controls for securing non-public information, in coordination with the Senior Agency Official for Privacy.
AUD-2025-007-18	No	$0	$0
FHFA's Chief Information Officer should enforce authentication and access control by (a) implementing account lockout after a defined number of failed login attempts, (b) enabling logging and alerting for authentication events, and (c) requiring multifactor authentication for administrative or remote access, if supported.
AUD-2025-007-19	No	$0	$0
FHFA's Chief Information Officer should remediate vulnerabilities by (a) applying all available software and firmware updates to the CCTV platform, (b) replacing or renewing expired website security certificates, and (c) conducting a secure code review to identify and remove hardcoded credentials or unsecure configurations.