Audit unveils critical security vulnerabilities at FHFA

A recent audit by the Federal Housing Finance Agency’s (FHFA) Office of Inspector General (OIG) has uncovered serious cybersecurity vulnerabilities within the agency’s information technology infrastructure.

The audit, which evaluated the FHFA’s security controls between October 2023 and January 2024, was part of an ongoing oversight effort required by the Federal Information Security Modernization Act (FISMA).

FISMA mandates that federal agencies, including the FHFA, develop and implement comprehensive security programs to safeguard their information systems. These programs must undergo periodic testing and evaluation to ensure their effectiveness in protecting against threats. The standards and guidelines set by the National Institute of Standards and Technology (NIST) provide the necessary framework for these security measures.

The FHFA’s Office of Technology and Information Management (OTIM) is responsible for ensuring the security and resilience of the agency’s IT resources. These resources host a variety of critical data, including financial reports and information from Fannie Mae, Freddie Mac, the Federal Home Loan Banks, and Common Securitization Solutions, LLC. Additionally, the network contains personally identifiable information (PII) of FHFA employees, making robust security controls essential to prevent unauthorized access and potential compromises.

Critical vulnerabilities identified

However, the audit found that the FHFA’s security controls were not consistently effective in protecting its network and systems from internal threats. Among the key findings were:

1. Failure to implement least privilege controls: OTIM did not adequately enforce the principle of least privilege, allowing users more access than necessary for their roles.
2. Inadequate user authentication management: OTIM failed to effectively manage user authentication processes, leaving the agency vulnerable to unauthorized access.
3. Unsecure cloud access: OTIM did not use secure methods to access the FHFA’s cloud environment, increasing the risk of breaches.
4. Poor information flow control: The agency did not effectively control the flow of information within its network and to external entities.
5. Uncontrolled software installation: OTIM did not prevent standard users from downloading and installing unapproved software, a repeat issue from previous audits.
6. Vulnerability remediation failures: OTIM did not adequately address known vulnerabilities within the FHFA’s systems.
7. Weak physical security controls: Physical security measures at FHFA headquarters were insufficient to prevent unauthorized access to offices and sensitive employee information, another repeat finding.
8. Outdated wireless configurations: The agency did not update its Common Control Plan to reflect current wireless network configurations.

Corrective actions and FHFA’s response

In response to these findings, the OIG issued 22 recommendations aimed at addressing the identified security deficiencies. FHFA management has agreed to these recommendations and outlined several corrective actions, including restricting access permissions on network drives, enhancing user authentication processes, and implementing multifactor authentication for cloud access.

For instance, OTIM has initiated a comprehensive review of access permissions to ensure compliance with the least privilege principle by July 2025. Additionally, OTIM plans to implement tools to prevent unauthorized software downloads and enhance data loss prevention by 2025. These measures are critical to protecting the FHFA’s IT infrastructure and the sensitive information it holds.

Do you have something to say about this story? Let us know in the comments below.