oversight

Performance Audit of the Federal Housing Finance Agency's (FHFA) Privacy Program

Published by the Federal Housing Finance Agency, Office of Inspector General on 2017-08-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

             Federal Housing Finance Agency  
                 Office of Inspector General 




           Performance Audit
                 of the
    Federal Housing Finance Agency’s
        (FHFA) Privacy Program




    Audit Report  AUD-2017-007  August 30, 2017

 
 

 

                                         August 30, 2017


TO:                Melvin L. Watt, Director

FROM:              Marla A. Freedman, Deputy Inspector General for Audits /s/

SUBJECT:           Audit Report - Performance Audit of the Federal Housing Finance Agency’s
                   (FHFA) Privacy Program


We are pleased to transmit the subject report.
42 U.S.C. §2000ee-2, requires FHFA to establish and implement comprehensive privacy and
data protection procedures governing the agency’s collection, use, sharing, disclosure, transfer,
storage and security of information in an identifiable form related to employees and the public.
Such procedures are to be consistent with legal and regulatory guidance, including Office of
Management and Budget Regulations, the Privacy Act of 1974, and section 208 of the E-
Government Act of 2002. 42 U.S.C. §2000ee-2 also requires the Office of Inspector General
(OIG) to periodically conduct a review of FHFA’s implementation of this section and report the
results of our review to the Congress.
We contracted with the independent certified public accounting firm of Kearney & Company,
P.C. (Kearney) to conduct a performance audit to meet our reporting requirement under
42 U.S.C. §2000ee-2. The contract required that the audit be conducted in accordance with
generally accepted government auditing standards.
Based on its audit work, Kearney concluded that FHFA effectively implemented six of the nine
privacy requirements in 42 U.S.C. §2000ee-2, in addition to applicable privacy controls listed
under the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-
53, Rev. 4, Appendix J, Privacy Controls Catalog. In its report, Kearney made seven
recommendations to ensure FHFA identifies, monitors, and protects the personally identifiable
information (PII) it collects and to ensure that privileged user access is approved and
documented. In its management response, FHFA agreed to implement the recommended
corrective actions.
In connection with the contract, we reviewed Kearney’s report and related documentation and
inquired of its representatives. Our review, as differentiated from an audit in accordance with



 
 


generally accepted government auditing standards, was not intended to enable us to conclude,
and we do not conclude, on FHFA’s compliance with 42 U.S.C. §2000ee-2 and the applicable
privacy controls listed in NIST SP 800-53. Kearney is responsible for the attached auditor’s
report dated August 30, 2017, and the conclusions expressed therein. However, our review found
no instances where Kearney did not comply, in all material respects, with generally accepted
government auditing standards.
Report Distribution
Federal Housing Finance Agency
       Director
       Chief of Staff
       Chief Operating Officer
       Associate General Counsel and Senior Agency Official for Privacy
       Chief Information Officer
       Internal Controls and Audit Follow-up Manager

Office of Management and Budget
       Budget Examiner
United States Senate
       Chair and Ranking Member
          Committee on Appropriations, Subcommittee on Transportation, Housing and Urban
            Development, and Related Agencies
          Committee on Banking, Housing, and Urban Affairs
          Committee on Homeland Security and Governmental Affairs

U.S. House of Representatives
       Chair and Ranking Member
          Committee on Appropriations, Subcommittee on Transportation, Housing and Urban
            Development, and Related Agencies
          Committee on Financial Services
          Committee on Oversight and Government Reform




                                              2
 
        Performance Audit
              of the
Federal Housing Finance Agency’s
    (FHFA) Privacy Program

                       August 30, 2017




                                     Point of Contact:
                                 Tyler Harding, Principal
                               1701 Duke Street, Suite 500
                                  Alexandria, VA 22314
                           703-931-5600, 703-931-3655 (fax)
                             Tyler.Harding@kearneyco.com
     Kearney & Company’s TIN is 54-1603527, DUNS is 18-657-6310, Cage Code is 1SJ14
                                                                                                                 Federal Housing Finance Agency
                                                                                                                        Performance Audit of the
                                                                                                                               Privacy Program




                                                     TABLE OF CONTENTS
                                                                                                                                             Page

COVER LETTER ........................................................................................................................ I
OVERVIEW ................................................................................................................................. 1
    Purpose ...................................................................................................................................... 1
    Background ............................................................................................................................... 1
    Federal Privacy Program Requirements .................................................................................... 1
    Prior Privacy Audit Results from September 2014 ................................................................... 2
AUDIT CRITERIA...................................................................................................................... 2
    NIST Security Standards and Guidelines .................................................................................. 3
RESULTS OF AUDIT ................................................................................................................. 3
    Privacy Program Improvements Since the September 2014 Privacy Program Report ............. 3
    Resolution of Prior-Year Issues ................................................................................................ 3
FINDING 1 ................................................................................................................................... 4
FINDING 2 ................................................................................................................................... 7
CONCLUSION ............................................................................................................................ 9
APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY ....................................... 10
APPENDIX B: TEST MATRIX ............................................................................................... 12
APPENDIX C: STATUS OF PRIOR-YEAR FINDINGS ..................................................... 15
APPENDIX D: FHFA’S MANAGEMENT RESPONSE ....................................................... 18
APPENDIX E: ACRONYM LISTING .................................................................................... 20
                                                                   1701 Duke Street, Suite 500, Alexandria, VA 22314
                                                                   PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com



COVER LETTER

August 30, 2017


The Honorable Laura S. Wertheimer
Inspector General
Federal Housing Finance Agency
400 7th Street SW
Washington, D.C. 20024


Dear Inspector General Wertheimer:

Kearney & Company, P.C. (defined as “Kearney,” “we,” and “our” in this report) is pleased to
provide this Privacy Program Audit Report, which details the results of our audit of the Federal
Housing Finance Agency’s (FHFA or Agency) implementation of specific security and privacy
controls as directed in Section 522 of the Consolidated Appropriations Act of 2005, Division H,
and updated in 42 United States Code (U.S.C.) § 2000ee-2. The FHFA Office of Inspector
General (OIG) contracted with Kearney to conduct this independent assessment as a performance
audit under Generally Accepted Government Auditing Standards (GAGAS).

The objective of this audit was to report on the effectiveness of FHFA’s information security and
privacy practices, with a focus on FHFA’s implementation of privacy controls and the following
nine requirements identified in 42 U.S.C. § 2000ee-2: 1

       Assuring that the use of technologies sustains, and does not erode, privacy protections
        relating to the use, collection, and disclosure of information in an identifiable form
        (Office of Management and Budget [OMB] Memorandum 07-16 replaced the use of
        “information in identifiable form” with the phrase “Personally Identifiable Information”
        [PII])
       Assuring that technologies used to collect, use, store, and disclose information in
        identifiable form allow for continuous auditing of compliance with stated privacy policies
        and practices governing the collection, use, and distribution of information in the
        operation of the program
       Assuring that personal information contained in Privacy Act systems of records is
        handled in full compliance with fair information practices as defined in the Privacy Act
        of 1974
       Evaluating legislative and regulatory proposals involving the collection, use, and
        disclosure of personal information by the Federal Government


1
  The full text of 42 U.S.C. is available at: http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-
title42-section2000ee-2&num=0&edition=prelim.


                                                         i
       Conducting a privacy impact assessment (PIA) of proposed rules of the Agency on the
        privacy of information in an identifiable form, including the type of PII collected and the
        number of people affected
       Preparing a report (i.e., annual Federal Information Security Modernization Act of 2014
        [FISMA] Privacy Report) and submitting it to Congress on an annual basis on activities
        of the Agency that affect privacy, including complaints of privacy violations,
        implementation of 5 U.S.C. § 552a, internal controls, and other relevant matters
       Ensuring that the Agency protects information in an identifiable form and information
        systems from unauthorized access, use, disclosure, disruption, modification, or
        destruction
       Training and educating employees on privacy and data protection policies to promote
        awareness of and compliance with established privacy and data protection policies
       Ensuring compliance with the Agency’s established privacy and data protection policies.

Kearney’s methodology for the fiscal year (FY) 2017 Privacy Program audit included an
assessment of seven 2 FHFA information systems for compliance with selected controls from the
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,
Revision (Rev.) 4, Security and Privacy Controls for Federal Information Systems and
Organizations, found in Appendix J, Privacy Control Catalog.

We conducted this performance audit in accordance with GAGAS. Those standards require that
we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on our
audit objectives.

Based on our audit work, Kearney concluded that FHFA has effectively implemented six of the
nine privacy requirements in 42 U.S.C. § 2000ee-2, in addition to applicable privacy controls
listed under NIST SP 800-53, Rev. 4, Appendix J, Privacy Controls Catalog. 3 In this report, we
made seven recommendations for improvements to ensure FHFA adequately identifies, monitors,
and protects the complete inventory of its PII holdings and appropriately approves and
documents privileged user access.




2
  Kearney sampled the following FHFA systems: General Support System (GSS), Job Performance Plan (JPP),
Correspondence Tracking Systems (CTS), Content Management Interface (CMI), Micro iComplaints, FedHR
(FHR) Navigator, and Everbridge. Of the seven sampled systems, all systems stored and processed PII, except
CMI.
3
  Appendix J, Privacy Controls Catalog, is available at:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.


                                                       ii
In closing, we appreciate the courtesies extended to the Kearney Audit Team by FHFA during
this engagement.


Sincerely,




Kearney & Company, P.C.
Alexandria, VA




                                             iii
                                                                           Federal Housing Finance Agency
                                                                                  Performance Audit of the
                                                                                         Privacy Program




OVERVIEW

Purpose

Kearney was contracted by OIG to perform an audit of the Agency’s Privacy Program. This
report satisfies a requirement in 42 U.S.C. § 2000ee-2 that Inspectors General (IG) periodically
review their respective agencies’ Privacy Programs.

Background

On July 30, 2008, FHFA was established by the Housing and Economic Recovery Act of 2008
(HERA), Public Law (P.L.) No. 110-289. HERA abolished two existing Federal agencies (i.e.,
the Office of Federal Housing Enterprise Oversight and the Federal Housing Finance Board) and
created FHFA to regulate the Federal National Mortgage Association (Fannie Mae); the Federal
Home Loan Mortgage Corporation (Freddie Mac); the Federal Home Loan Bank System,
composed of 11 Federal Home Loan Banks (FHLBanks); and the FHLBanks’ fiscal agent, the
Office of Finance.

FHFA is an independent Federal agency with a Director appointed by the President and
confirmed by the United States Senate. The Agency’s mission is to provide effective
supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, the 11
FHLBanks, and the Office of Finance. The Agency also currently serves as conservator for
Fannie Mae and Freddie Mac. FHFA is a non-appropriated, non-apportioned agency that draws
its financial resources from assessments on Fannie Mae, Freddie Mac, and the 11 FHLBanks.

Federal Privacy Program Requirements

Section 522 of Consolidated Appropriations Act of 2005, Division H,4 as originally enacted,
required the IG of each agency to perform an evaluation every two years to assess its agency’s
use of information in identifiable form, evaluate the privacy and data protection procedures of
the agency, and recommend strategies and specific steps to improve privacy and data protection
management. Section 742(b) of the Consolidated Appropriations Act of 2008, Division D 5
amended this review requirement by mandating that IGs conduct these reviews periodically
(instead of biennially), as well as report the results of the reviews to the House of
Representatives and Senate Committees on Appropriations, the House of Representatives
Committee on Oversight and Government Reform, and the Senate Committee on Homeland
Security and Governmental Affairs.

The Privacy Act of 1974 (5 U.S.C. § 552a), as amended, requires agencies to collect only an
individual’s information that is relevant and necessary to accomplish a purpose of the agency
required by statute or Executive Order of the President. Agencies are required to protect this
information from any anticipated threats or hazards to their security or integrity, which could

4
    P.L. 108-447, which became law on December 8, 2004.
5
    P.L. 110-161, which became law on December 26, 2007.


                                                       1
                                                                                   Federal Housing Finance Agency
                                                                                          Performance Audit of the
                                                                                                 Privacy Program




result in substantial harm, embarrassment, inconvenience, or unfairness to any individual for
whom the information is maintained, and must not disclose this information except under certain
circumstances (e.g., need to know within the agency, required Freedom of Information Act
[FOIA] disclosure, or statistical research).

In addition, Section 208 of the E-Government Act of 2002 (P.L. 107-347) requires agencies to:
1) conduct PIAs of information technology (IT) and collections and, in general, make PIAs
publicly available; 2) post privacy policies on agency websites used by the public; and 3)
translate privacy policies into a machine-readable format.

Prior Privacy Audit Results from September 2014

OIG contracted with an independent audit firm to conduct a Privacy Program audit based on 42
U.S.C. § 2000ee-2 for FHFA’s Privacy Program in September 2014. 6 In 2014, the firm made six
recommendations for FHFA to strengthen its 2014 Privacy Program. Subsequently, OIG
determined that FHFA took corrective actions to address all recommendations and closed the six
recommendations. Appendix C: Status of Prior-Year Findings lists each recommendation and
describes the corrective actions taken by FHFA.

AUDIT CRITERIA

Kearney’s performance audit was conducted in accordance with Government Auditing
Standards, issued by the Comptroller General of the United States. In addition, our work in
support of the audit was guided by applicable FHFA policies and Federal criteria, including, but
not limited to, the following:

       E-Government Act of 2002
       OMB Circular A-130, Managing Information as a Strategic Resource, Appendix II, dated
        July 28, 2016
       OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of
        the Executive Office of the President and the Department of Homeland Security
       OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the
        E-Government Act of 2002
       OMB Memorandum M-17-05, Fiscal Year 2016-2017 Guidance on Federal Information
        Security and Privacy Management Requirements.




6
 OIG, CliftonLarsenAllen, LLP’s Independent Audit of the Federal Housing Finance Agency’s Privacy
Program–2014 (AUD-2014-020), dated September 26, 2014.


                                                      2
                                                                         Federal Housing Finance Agency
                                                                                Performance Audit of the
                                                                                       Privacy Program




NIST Security Standards and Guidelines

NIST provides standards and guidelines pertaining to Federal information systems. The
standards prescribe information security requirements necessary to improve the security, privacy,
and overall protection of Federal information and information systems. Federal agencies must
comply with NIST’s Federal Information Processing Standards (FIPS) Publications (PUB) and
SPs as recommended guidance documents. The following NIST FIPS PUBs and SPs were
referenced during the FHFA Performance Audit of the Privacy Program:

      NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to
       Federal Information Systems; A Security Life Cycle Approach
      NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems
       and Organizations, Appendix J, Privacy Control Catalog
      NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
       Information (PII)
      FIPS PUB 199, Standards for Security Categorization of Federal Information and
       Information Systems
      FIPS PUB 200, Minimum Security Requirements for Federal Information and
       Information Systems.

RESULTS OF AUDIT

Kearney executed testing of the FHFA Privacy Program based upon 42 U.S.C. § 2000ee-2
(requirements and IT application security controls), the Privacy Act of 1974, E-Government Act
of 2002, Section 208 of the E-Government Act of 2002, OMB memoranda, and applicable NIST
guidance on privacy. A summary of test results for these controls is identified in APPENDIX B:
TEST MATRIX. The following sections identify improvements since the 2014 audit of the
Privacy Program, resolution of issues identified in that audit, and findings with recommendations
for improvement to the Privacy Program’s inventory and system access.

Privacy Program Improvements Since the September 2014 Privacy Program Report

Kearney noted that FHFA updated its privacy policies to address changes in applicable laws and
OMB guidance since the prior 2014 OIG Privacy Program audit. FHFA’s privacy policies are
posted on the intranet and FHFA’s public website, which is periodically updated to reflect
revisions to policies and procedures. In addition, the FHFA Senior Agency Official for Privacy
(SAOP) stated that FHFA is migrating all hardcopy PII to electronic records or digital images.

Resolution of Prior-Year Issues

In 2014, OIG engaged an independent audit firm to audit FHFA’s Privacy Program; the auditor
identified two control deficiencies and made six recommendations for improvement. Following
the 2014 Report, OIG reviewed and accepted FHFA’s completed corrective actions to implement
and track the logging and control of all computer-readable data extracts of PII, conduct periodic
reviews of website compliance with privacy requirements, and track and timely complete


                                                3
                                                                           Federal Housing Finance Agency
                                                                                  Performance Audit of the
                                                                                         Privacy Program




corrective actions identified in website compliance reviews. However, Kearney noted that
FHFA’s corrective actions did not fully address weaknesses noted and made five new
recommendations. Please see Appendix C: Status of Prior-Year Findings for more information.

FINDING 1

Lack of a Complete and Accurate Personally Identifiable Information Systems Inventory

Developing and maintaining a complete and accurate inventory of where PII is collected and
stored is an essential step in securing and protecting PII from accidental disclosure. Both the
Privacy Act of 1974 and FISMA require all Federal agencies to protect and secure PII from
disclosure. Additionally, OMB Memorandum M-07-16, Safeguarding Against and Responding
to the Breach of Personally Identifiable Information, establishes the requirement that Federal
agencies “log all computer-readable data extracts from databases holding sensitive information
and verify each extract, including whether sensitive data has been erased within 90 days or its
use is still required.”

In the execution of its mission, FHFA collects PII in both hardcopy and electronic forms.
Kearney noted that FHFA’s Privacy Program does not maintain a complete and accurate
inventory of PII stored in hardcopy and electronic forms. While FHFA has an inventory of
information systems storing PII, this inventory does not include PII stored in unstructured data
stores, such as SharePoint or network shared drives (e.g., FHFA’s :\M drive). Further, the PII
inventory does not include hardcopy data stores, such as background investigation or Human
Resources (HR) records.

Additionally, Kearney observed that FHFA has not implemented automated technologies
required by OMB Memorandum M-07-16 to log data extracts of PII and does not verify whether
PII data is deleted after 90 days or when no longer required. While FHFA has implemented
manual processes to limit the users with access to these data extracts, the Agency did not
implement monitoring and logging for the systems sampled.

NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and
Organizations, Appendix J, Privacy Control Catalog, established several Federal privacy
protection mandates:

       “SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION

       The PII inventory enables organizations to implement effective administrative, technical,
       and physical security policies and procedures to protect PII consistent with Appendix F,
       and to mitigate risks of PII exposure. As one method of gathering information for their
       PII inventories, organizations may extract the following information elements from PIA
       for information systems containing PII: (i) the name and acronym for each system
       identified; (ii) the types of PII contained in that system; (iii) classification of level of
       sensitivity of all types of PII, as combined in that information system; and (iv)
       classification of level of potential risk of substantial harm, embarrassment,


                                                 4
                                                                           Federal Housing Finance Agency
                                                                                  Performance Audit of the
                                                                                         Privacy Program




       inconvenience, or unfairness to affected individuals, as well as the financial or
       reputational risks to organizations, if PII is exposed. Organizations take due care in
       updating the inventories by identifying linkable data that could create PII.

       AR-4 PRIVACY MONITORING AND AUDITING

       Control: The organization monitors and audits privacy controls and internal privacy
       policy [Assignment: organization-defined frequency] to ensure effective implementation.
       Supplemental Guidance: … Organizations also: (i) implement technology to audit for the
       security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security
       of documents containing PII; (iii) assess contractor compliance with privacy
       requirements; and (iv) ensure that corrective actions identified as part of the assessment
       process are tracked and monitored until audit findings are corrected. The organization
       SAOP/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with
       information security officials and ensures that the results are provided to senior managers
       and oversight officials.”

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
Personally Identifiable Information, directs Federal agencies to continue implementing
requirements derived from existing security policy and NIST guidance, including the following
mandate that addresses protections specific to sensitive data: “Log and Verify: Log all
computer-readable data extracts from databases holding sensitive information and verify each
extract, including whether sensitive data has been erased within 90 days or its use is still
required.”

FHFA had once developed a listing of physical PII holdings, but it has not updated or maintained
the inventory of PII, as the Agency has prioritized digitizing all hardcopy PII records and storing
the records within defined information systems. Since then, FHFA has not conducted a
comprehensive business process analysis to identify all business functions that collect, process,
and store PII. While FHFA has identified significant business applications that collect, process,
and store PII, the Agency has not compiled a complete and accurate inventory of where PII
records exist in unstructured or hardcopy form. Further, FHFA presently lacks manual and
automated processes to discover and maintain a complete inventory of where PII is stored in
unstructured and hardcopy form. Manual processes include, but are not limited to, activities
such as periodic, manual searches of SharePoint sites and network shared drives, routine physical
walkthroughs of FHFA offices, and training end users to apply appropriate naming conventions
for files and folders containing PII.

To effectively implement protection and monitoring mandates, many Federal agencies leverage
Data Loss Prevention (DLP) technologies to facilitate the identification, protection, and
monitoring of PII stored in databases (e.g., structured data) and unstructured data stores (e.g.,
Microsoft Word and Excel files stored on SharePoint sites and network shared drives). DLP
technologies facilitate the ongoing identification, monitoring, and prevention of PII data losses
by using intelligent search agents to identify social security numbers, credit card numbers, bank
accounts, and other sensitive PII stored in unstructured forms and sent in transit via e-mail. DLP


                                                 5
                                                                           Federal Housing Finance Agency
                                                                                  Performance Audit of the
                                                                                         Privacy Program




technologies can send alerts to privacy professionals and network administrators when new PII
data is discovered on network shared drives or if PII data is copied from an employee’s hard
drive to an external USB thumb drive. While not explicitly required by Federal statutes or
regulations, the use of DLP technologies is considered a sound business practice and has been
deployed by other Federal financial regulators to strengthen their Privacy Programs.

According to FHFA management officials, the Agency has not implemented technologies, such
as DLP, given the cost and other competing management priorities. The Office of Technology
and Information Management (OTIM) officials acknowledge that DLP technologies can identify
and alert privacy officials and OTIM to new data stores of PII kept on SharePoint sites and
Agency network shared drives; however, FHFA cited that DLP technologies require ongoing
maintenance and configuration to be effective and could strain limited security resources.

Without a complete inventory of where PII resides, FHFA is unable to adequately monitor its
collections of PII for compliance with privacy laws, regulations, and guidelines. This includes
ensuring proper access restrictions are in place to only allow access to those who need the PII
data to perform their official duties and confirming that the organization only captures, stores,
and maintains PII where absolutely necessary.

Recommendations: Kearney recommends that the FHFA Privacy Office:

   1. Conduct a comprehensive business process analysis to identify all FHFA business
      processes that collect PII in electronic and hardcopy form to build an inventory of where
      PII is stored.
   2. Develop manual and automated processes to maintain an accurate and complete inventory
      of where PII is stored.
   3. Establish, implement, and train end users to apply naming conventions to files and folders
      containing PII.
   4. Conduct a feasibility study of available technologies to supplement the manual and
      automated processes to identify and secure PII at rest and in transit.
   5. Design and implement automated and manual processes to satisfy the OMB
      Memorandum M-07-16 requirement to log all data extracts of PII and confirm that PII
      has been deleted after 90 days or when no longer needed.




                                                 6
                                                                               Federal Housing Finance Agency
                                                                                      Performance Audit of the
                                                                                             Privacy Program




FINDING 2

Lack of Account Requests and Approvals for Privileged Users

Organizations implement access controls and associated procedures to ensure adequate
consideration and appropriate approval when granting elevated privileges to users within IT and
information system boundaries. Specifically, an effective access control process protects
systems and applications from unauthorized access and enforces the principle of least privilege.
Proper authorization and documentation of users requesting or granted privileged access is
essential for traceability and for maintaining a secure IT environment. NIST SP 800-53, Rev. 4,
Security and Privacy Controls for Federal Information Systems and Organizations, establishes
that users requiring administrative privileges for their respective information system accounts
undergo additional review by appropriate personnel, given their elevated privileges.

FHFA’s policies for each of the seven sampled systems 7 state that to obtain elevated privileges, a
user must first obtain approval, in writing, from the respective System Owner. In regards to the
FHFA GSS, access is requested through the Access Control System (ACS).

To verify whether FHFA System Owners properly followed documented access control
procedures in regards to creating and approving privileged access, Kearney sampled nine
administrators from a population of 37 across the seven sampled systems. Subsequently, we
requested the access approval documentation for each sampled user for inspection and testing
purposes.

Kearney noted that FHFA did not consistently follow its account provisioning policies outlined
in its Access Control Standard and did not retain evidence of System Owner approval for seven
of nine privileged user accounts.

NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and
Organizations, established the following mandates relating to access control:

        “AC-2 Account Management

        Control: An organization specifies authorized users of the information system, group and
        role membership, and access authorizations (i.e., privileges) and other attributes (as
        required) for each account and requires approvals by appropriate personnel (System
        Owners) for access to be granted to information systems.




7
 Kearney sampled the following FHFA systems: GSS, JPP, CTS, CMI, Micro iComplaints, FHR Navigator,
and Everbridge. Of the seven sampled systems, all systems stored and processed PII, except CMI.


                                                    7
                                                                          Federal Housing Finance Agency
                                                                                 Performance Audit of the
                                                                                        Privacy Program




       AC-6 Least Privilege

       Control: An organization explicitly authorizes access to systems and applications,
       including administrative access. That access should be documented, including rationale
       for such access.”

In addition to NIST SP 800-53, Rev. 4, FHFA’s Access Control Standard, dated June 2016,
states:

       “FHFA information owners and system owners shall ensure that only users with a
       valid need (i.e., in the performance of their official duties or duties under an
       authorized contract) are provided access to Non-Public or Non-Public Restricted
       information, and that they are provided with the lowest level of access to the data
       (i.e., read only) necessary to perform their job function.

       Privileged access authorizations must be approved by the system owner and include a
       written justification in the form of a help desk or access control ticket.”

Kearney noted that System Owners did not follow privileged user access control procedures
because user accounts were created as systems were placed into production. Additionally,
System Owners were not aware of FHFA’s Access Control Standard.

Without evidence of written approval, FHFA cannot demonstrate that the individuals obtained
privileged access through authorized means.

Recommendations: Kearney recommends that FHFA:

   6. Enhance System Owner training to include FHFA access control policies.
   7. Review all privileged user accounts, obtain authorizations for users where none are
      currently documented, and remove access for those not authorized.




                                                8
                                                                      Federal Housing Finance Agency
                                                                             Performance Audit of the
                                                                                    Privacy Program




CONCLUSION

Based on our audit work, we concluded that FHFA has effectively implemented six of the nine
privacy requirements in 42 U.S.C. § 2000ee-2. In its management response, provided in
Appendix D, FHFA agreed to implement the recommended corrective actions.




                                              9
                                                                                  Federal Housing Finance Agency
                                                                                         Performance Audit of the
                                                                                                Privacy Program




APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY

Kearney executed testing of the FHFA Privacy Program based upon 42 U.S.C. § 2000ee-2, the
Privacy Act of 1974, Section 208 of the E-Government Act of 2002, OMB memoranda, and
applicable NIST privacy guidance.

Scope

The objective of this performance audit was to report on the effectiveness of FHFA information
security and privacy practices, with a focus on FHFA’s implementation of privacy controls. This
report is presented to OIG to address its requirements under 42 U.S.C. § 2000ee-2. We
identified and assessed the implementation of selected privacy controls for a representative
sample of FHFA systems containing PII. Kearney identified 15 systems within FHFA with
privacy data and selected the following six systems listed in Table 1 in addition to the FHFA
GSS. 8

                                Table 1: FHFA PII Systems Assessed
      Privacy System
                                                             Description
            Name
      FHFA Network           The FHFA GSS provides support for all information processing
    Infrastructure (GSS)     activities, internet access, and e-mail for FHFA.
                             The purpose of this system is to capture and track correspondence
                             that FHFA receives from external sources. The system captures
                             information on the sender and the nature of the correspondence (e.g.,
           CTS               name; property, home, and business addresses; e-mail address;
                             telephone numbers; and other personal and contact information). The
                             system helps ensure FHFA responds to the inquiry in a timely and
                             accurate manner.
                             Everbridge is a web-based system that allows FHFA’s Office of
                             Facilities Operation Management (OFOM) personnel or other
                             authorized employees to send notifications to FHFA employees using
        Everbridge
                             lists, locations, and visual intelligence. The Everbridge mass
                             notification system keeps Agency employees informed before,
                             during, and after events.
                             The purpose of this system is to automate Federal HR functions
                             within a single platform. It is a suite of web-based software tools that
      FHR Navigator
                             is bolstered by a centralized database to support the strategic
                             management of human capital within the Federal workplace.
                             This system is used to track, manage, and report on Equal
                             Employment Opportunity (EEO) complaints. Information collected
    Micro iComplaints
                             is kept confidential for use during the alternate dispute resolution
                             process. Additionally, data is used to create statistical reports.

8
 The FHFA GSS was included in testing because common access controls are used for some systems holding
PII and users store data extracts on the GSS.


                                                     10
                                                                                    Federal Housing Finance Agency
                                                                                           Performance Audit of the
                                                                                                  Privacy Program




      Privacy System
                                                              Description
          Name
                              This system is an automated tool that facilitates annual FHFA-wide
                              merit increase and Performance-Based Bonus (PBB) decision-
                              making and processing, as well as conducts salary planning
      Merit Central/JPP
                              determinations. The Office of Human Resources Management
                              (OHRM) and OTIM JPP worked in close coordination to develop this
                              internal system.
       CMI (Content           CMI is a moderate-impact system that allows individuals to publish
    Management System) 9      content on the FHFA.gov website.

Kearney performed fieldwork for the FHFA Privacy Program audit from April to July 2017.
Throughout the Privacy Program audit, we met with FHFA management to discuss preliminary
observations. In addition to the Federal audit criteria listed above (see Appendix C: Status of
Prior-Year Findings), Kearney’s work in support of the audit was guided by applicable FHFA
policies, including the following:

         General Support Systems (GSS) Information Security Architecture
         Security Awareness and Training Procedures
         Information Security Incident Response Plan
         Procedures for Monitoring of Information Technology Systems that Contain Personally
          Identifiable Information
         Security Assessment and Authorization Procedure
         Identification and Authentication Standard
         Access Control Standard
         Privacy Program Plan
         Use and Protection of Personally Identifiable Information Policy.

As a part of the privacy audit, Kearney evaluated access to information systems containing PII.
We observed that privileged users for the sampled systems had the greatest access to PII and
presented the most risk. Therefore, Kearney sampled nine of 37 privileged users across the
selected systems to confirm that the selected privileged users were authorized by their respective
System Owners or other appropriate officials.




9
 While CMI was included in our sampled systems, Kearney determined that the system does not store or
process PII.


                                                      11
                                                                              Federal Housing Finance Agency
                                                                                     Performance Audit of the
                                                                                            Privacy Program




APPENDIX B: TEST MATRIX

The purpose of the matrix below is to identify the nine requirements identified in Section
522 of Consolidated Appropriations Act of 2005, Division H and 42 U.S.C. § 2000ee-2 for
FHFA’s Privacy Program, in addition to applicable privacy controls listed under NIST
SP 800-53, Rev. 4, Appendix J, Privacy Controls Catalog. 10 NIST’s Privacy Controls
Catalog provides a consolidated list of privacy control requirements established by the
Privacy Act of 1974, Section 208 of the e-Government Act of 2002, 42 U.S.C. § 2000ee-2,
and other OMB memoranda.

Kearney tested the following entity and system-level control objectives to conclude on FHFA’s
Privacy Program. We noted two findings with regards to the Privacy Program’s lack of a
complete inventory and lack of written management authorizations for privileged users. See
Table 2 and Table 3 for Kearney’s conclusions on tests performed during the audit.

         Table 2: Privacy Program Reporting Audit 42 U.S.C. § 2000ee-2 Requirements
                                                                    NIST SP
                                                                               Kearney Test
     #             42 U.S.C. § 2000ee-2 Requirements                 800-53
                                                                                  Results
                                                                   Control (s)
         Assuring that the use of technologies sustains, and does
         not erode, privacy protections relating to the use,                   Demonstrates
     1                                                                AR-7
         collection, and disclosure of information in an                       Effectiveness
         identifiable form
         Assuring that technologies used to collect, use, store,
                                                                                 Warrants
         and disclose information in identifiable form allow for
                                                                               Management
         continuous auditing of compliance with stated privacy
     2                                                                AR-4       Attention
         policies and practices governing the collection, use, and
                                                                                   (See
         distribution of information in the operation of the
                                                                                Finding 1)
         program
         Assuring that personal information contained in Privacy                 Warrants
         Act systems of records is handled in full compliance                  Management
     3   with fair information practices as defined in the Privacy AR-6, SE-1    Attention
         Act of 1974. [Emphasis placed on maintaining an                           (See
         inventory of PII holdings.]                                            Finding 1)
         Evaluating legislative and regulatory proposals
                                                                               Demonstrates
     4   involving collection, use, and disclosure of personal        AR-6
                                                                               Effectiveness
         information by the Federal Government
         Conducting a PIA of proposed rules of the Agency on
         the privacy of information in an identifiable form,                   Demonstrates
     5                                                                AR-2
         including the type of PII collected and the number of                 Effectiveness
         people affected


10
  Appendix J: Privacy Controls Catalog is available at
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf .


                                                        12
                                                                        Federal Housing Finance Agency
                                                                               Performance Audit of the
                                                                                      Privacy Program




                                                                   NIST SP
                                                                                  Kearney Test
  #              42 U.S.C. § 2000ee-2 Requirements                  800-53
                                                                                    Results
                                                                  Control (s)
        Preparing a report (i.e., annual FISMA Privacy Report)
        to Congress on an annual basis on activities of the
                                                                                  Demonstrates
  6     Agency that affect privacy, including complaints of         AR-6
                                                                                  Effectiveness
        privacy violations, implementation of 5 U.S.C. § 552a,
        internal controls, and other relevant matters
                                                                                    Warrants
        Ensuring that the Agency protects information in an
                                                                  AR-2, AR-        Management
        identifiable form and information systems from
  7                                                                6, AR-8,         Attention
        unauthorized access, use, disclosure, disruption,
                                                                     DI-2             (See
        modification, or destruction
                                                                                   Finding 2)
        Training and educating employees on privacy and data
        protection policies to promote awareness of and           AR-3, AR-       Demonstrates
  8
        compliance with established privacy and data protection      5            Effectiveness
        policies
        Ensuring compliance with the Agency’s established                         Demonstrates
  9                                                                 AR-1
        privacy and data protection policies                                      Effectiveness

From NIST SP 800-53, Rev. 4, Appendix J, Privacy Controls Catalog, Kearney selected privacy
controls relevant to FHFA’s Privacy Program. Table 3 presents Kearney’s test results for the
sampled privacy controls.

          Table 3: Additional NIST SP 800-53, Rev. 4, Appendix J, Privacy Controls
                                                                 NIST SP
                                                                             Kearney Test
   #               Additional NIST Privacy Controls               800-53
                                                                                Results
                                                                Control (s)
        The Agency has determined and documented the legal
        authority that permits the collection, use, or                       Demonstrates
  10                                                            AP-1, TR-2
        maintenance of PII for a specific program or                         Effectiveness
        information system used.
        The organization describes the purpose for which PII is
                                                                             Demonstrates
  11    collected, used, maintained, and shared in its privacy     AP-2
                                                                             Effectiveness
        notices.
        The Agency takes reasonable steps to ensure the
                                                                             Demonstrates
  12    accuracy and relevance of PII being used by information    DI-1
                                                                             Effectiveness
        systems or programs.
        The Agency takes appropriate steps to identify the
        minimum PII elements relevant and necessary to                       Demonstrates
  13                                                              DM-1
        accomplish the purpose of collection for information                 Effectiveness
        system(s).
        The Agency disposes of and/or anonymizes PII in                      Demonstrates
  14                                                              DM-2
        accordance with a National Archives and Records                      Effectiveness



                                              13
                                                                     Federal Housing Finance Agency
                                                                            Performance Audit of the
                                                                                   Privacy Program




                                                                NIST SP
                                                                           Kearney Test
#             Additional NIST Privacy Controls                   800-53
                                                                             Results
                                                               Control (s)
     Retention (NARA)-approved record retention schedule
     and reduces misuse or unauthorized access of PII.
     The Agency develops and implements a Privacy
                                                                               Demonstrates
15   Incident Response Plan addressing incidents involving        SE-2
                                                                               Effectiveness
     PII.
     The Agency provides notice to the public of the privacy   TR-1, TR-
                                                                               Demonstrates
16   information practices and the impact of their programs    3, IP-2, IP-
                                                                               Effectiveness
     and activities.                                                3




                                           14
                                                                                                               Federal Housing Finance Agency
                                                                                                                      Performance Audit of the
                                                                                                                             Privacy Program




APPENDIX C: STATUS OF PRIOR-YEAR FINDINGS

Kearney obtained the audit results from the prior Privacy Program audit (September 2014) to gain a better understanding of FHFA’s
Privacy Program and corrective actions taken to address previous risks. The table below presents the status of prior Privacy Program
findings. In regards to the prior audit findings from 2014, all six of the recommendations were closed by OIG based on the corrective
actions taken by FHFA.

      Recommendations
 #                                 Management Response                   FHFA Actions Taken                       Status
            PY 2014
   Document, disseminate,       “FHFA agrees with these             FHFA updated existing
   and implement a policy       recommendations and will draft      procedures regarding
                                                                                                      Closed –OIG accepted
   requiring the logging        and issue a policy requiring the    monitoring of IT systems that
                                                                                                      corrective actions completed by
 1 and control of all           logging and control of all          contain PII to address this
                                                                                                      FHFA as responsive to address
   computer-readable data       computer readable data extracts     finding. Specifically, new
                                                                                                      this finding.
   extracts from databases      from databases holding PII. In      procedures were added that
   holding PII.                 addition, FHFA will draft           require System Owners to
                                procedures on erasing such data     verify, at least annually, that   Closed –OIG determined that
                                extracts after 90 days or require   computer-readable data extracts   management’s proposed actions
                                a justification for continued       containing PII are deleted        were responsive to the audit.
   Verify that each extract
                                retention beyond 90 days.           within 90 days of their           However, in the FY 2017
   containing PII is erased
                                Furthermore, procedures will be     extraction or that adequate       privacy audit, Systems Owners
 2 within 90 days or
                                drafted on how to track those       justification from the user was   for the sampled privacy systems
   adequate justification is
                                extracts that are retained          received for the continued need   indicated that they did not log,
   provided for retention.
                                beyond 90 days. FHFA will           for the data extract. These       nor subsequently confirm that,
                                complete this by no later than      procedures were posted to         PII extracts were deleted after
                                September 18, 2015.”                FHFA’s intranet and               90 days. See Finding 1.




                                                                    15
                                                                                                               Federal Housing Finance Agency
                                                                                                                      Performance Audit of the
                                                                                                                             Privacy Program




      Recommendations
#                                  Management Response                   FHFA Actions Taken                       Status
          PY 2014
                                                                    incorporated into OTIM’s IT       Closed –OIG determined that
                                                                    System Re-Authorization form.     management’s proposed actions
                                                                                                      were responsive to the audit.
  Tracks extracts
                                                                                                      However, in the FY 2017
  containing PII and
                                                                                                      privacy audit, Systems Owners
3 retained beyond 90 days
                                                                                                      for the sampled privacy systems
  to ensure they are erased
                                                                                                      indicated that they did not log,
  when no longer required.
                                                                                                      nor subsequently confirm that,
                                                                                                      PII extracts were deleted after
                                                                                                      90 days. See Finding 1.
                               “We have reviewed FHFA's
                               ‘Procedures for Monitoring
                               FHFA's Website for
                               Compliance with FHFA's
                               Website Privacy and Social
                               Media Policies’ and a
                               corresponding Agency memo
  Document, disseminate,                                            FHFA’s website privacy and
                               detailing the results of a scan on
  and implement a policy                                            social media policies were        Closed –OIG accepted
                               FHFA's websites, which
  requiring periodic, but at                                        developed and circulated to the   corrective actions completed by
4                              supports the Agency's
  least annual, reviews of                                          affected stakeholders. FHFA       FHFA as responsive to address
                               corrective actions for
  website compliance with                                           planned monitoring and            this finding.
                               recommendation 4 in the
  privacy requirements.                                             completion in a timely manner.
                               subject report. FHFA had
                               responded that it would draft
                               and issue a policy requiring at
                               least annual reviews of agency
                               websites to ensure compliance
                               with FHFA's privacy
                               requirements.”



                                                                    16
                                                                                                           Federal Housing Finance Agency
                                                                                                                  Performance Audit of the
                                                                                                                         Privacy Program




     Recommendations
#                               Management Response                   FHFA Actions Taken                      Status
          PY 2014
  Conduct periodic           “We obtained the periodic
                                                                 FHFA completed a review of its
  reviews of FHFA-owned      website compliance reviews                                           Closed –OIG accepted
                                                                 website to determine
  publicly accessible        that FHFA's webmaster                                                corrective actions completed by
5                                                                compliance with the Agency’s
  websites to ensure         conducted, along with evidence                                       FHFA as responsive to address
                                                                 website privacy and social
  compliance with Agency     the sole matter identified during                                    this finding.
                                                                 media policies in March 2015.
  policy.                    the reviews was corrected. We
                             conclude that the Agency's
                             actions are responsive to the
                                                                 The Privacy Office provided
                             agreed-upon corrective actions
  Track all corrective                                           evidence of tracking the one
                             and consider this
  actions identified in                                          item listed in the March 2015    Closed –OIG accepted
                             recommendation closed.”
  website compliance                                             review and planned to follow     corrective actions completed by
6
  reviews and ensure the                                         up with the Webmaster to         FHFA as responsive to address
                             FHFA agreed to issue a policy
  actions are completed in                                       ensure that this corrective      this finding.
                             requiring at least annual
  a timely manner.                                               action is completed before the
                             reviews of agency websites to
                                                                 next review.
                             ensure compliance with
                             FHFA’s privacy requirements.




                                                                 17
                                         Federal Housing Finance Agency
                                                Performance Audit of the
                                                       Privacy Program




APPENDIX D: FHFA’S MANAGEMENT RESPONSE




                              18
     Federal Housing Finance Agency
            Performance Audit of the
                   Privacy Program




19
                                                             Federal Housing Finance Agency
                                                                    Performance Audit of the
                                                                           Privacy Program




APPENDIX E: ACRONYM LISTING

    Acronym       Definition
    ACS           Access Control System
    CMI           Content Management Interface
    CPO           Chief Privacy Officer
    CTS           Correspondence Tracking System
    DLP           Data Loss Prevention
    Fannie Mae    Federal National Mortgage Association
    FHFA          Federal Housing Finance Agency
    FHFB          Federal Housing Finance Board
    FHLBanks      Federal Home Loan Banks
    FHR           Federal Human Resources
    FIPS          Federal Information Processing Standards
    FISMA         Federal Information Security Modernization Act of 2014
    FOIA          Freedom of Information Act
    Freddie Mac   Federal Home Loan Mortgage Corporation
    FY            Fiscal Year
    GAGAS         Generally Accepted Government Auditing Standards
    GSS           General Support System
    HERA          Housing and Economic Recovery Act of 2008
    HR            Human Resources
    iComplaints   Micro iComplaints
    ID            Identification
    IT            Information Technology
    JPP           Job Performance Plan
    Kearney       Kearney & Company, P.C.
    NIST          National Institute of Standards and Technology
    OFHEO         Office of Federal Housing Enterprise Oversight
    OIG           Office of Inspector General
    OHRM          Office of Human Resources Management
    OMB           Office of Management and Budget
    OTIM          Office of Technology and Information Management
    P.L.          Public Law
    PIA           Privacy Impact Assessment
    PII           Personally Identifiable Information
    PUB           Publication
    Rev.          Revision
    SAOP          Senior Agency Official for Privacy
    SP            Special Publication
    U.S.          United States
    U.S.C.        United States Code




                                    20
ADDITIONAL INFORMATION AND COPIES .................................  


For additional copies of this report:

       Call: 202-730-0880

       Fax: 202-318-0239

       Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

       Call: 1-800-793-7724

       Fax: 202-318-0358

       Visit: www.fhfaoig.gov/ReportFraud

       Write:

                 FHFA Office of Inspector General
                 Attn: Office of Investigations – Hotline
                 400 Seventh Street SW
                 Washington, DC 20219




 
                               OIG    AUD-2017-007    August 30, 2017