Federal Reports

This report summarizes the results of our fiscal year (FY 2022) Federal Information Security Modernization Act (FISMA) evaluation and assesses the maturity of controls used to address risks in each of the nine information security areas, called domains. We assessed the effectiveness of information security programs on the required maturity model spectrum, which is a rating scale for information security. We rated the Denali Commission’s overall program of information security as “effective.” A majority of the FY 2022 FISMA metrics were rated Defined (Level 2). Three of four recommendations for corrective action from the FY 2021 evaluation have been implemented.

We performed a corrective action verification review of the actions taken by the Government National Mortgage Association (Ginnie Mae) to implement the recommendations cited in Audit Report 2016-KC-0002, issued September 21, 2016. The HUD Handbook places the responsibility on HUD’s Office of Inspector General to perform selected corrective action verifications of significant audit recommendations when final actions have been completed. Our audit objectives were to verify that Ginnie Mae had implemented the corrective actions from the report that (1) established a maximum time during which single-family loans could remain pooled without insurance and (2) established a process for requiring removal of pooled loans that remained uninsured after that time. We found Ginnie Mae established a maximum time during which single-family loans could remain pooled without insurance and established a process for requiring removal of pooled loans that remained uninsured after that time. However, the loan-matching process used by Ginnie Mae did not ensure that pooled loans would be insured by an agency of the Federal Government as required by the Mortgage-Backed Securities (MBS) Guide. The process matched pooled loans to agency insurance files but was not adequately designed to cure unmatched loans within the timeframes established in the MBS Guide. As a result, at least 3,206 pooled loans with a principal balance of at least $903 million were not matched to agency insurance data files before the certification date. We recommend that Ginnie Mae update and synchronize its procedures. The updates should include notifications that provide issuers with unmatched loans adequate time to take corrective action to comply with the requirements of the MBS Guide.

Using a risk-based, tiered approach in developing this work plan to best focus our limited resources, AIE will initiate work in nine focus areas in 2023-2024, including oversight of IIJA, IRA and other supplemental funding provided to the DOI.