Kearney & Company, P.C.'s Results of the Federal Housing Finance Agency's Cybersecurity Act Audit

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-08-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

         Federal Housing Finance Agency
             Office of Inspector General

  Kearney & Company, P.C.’s
         Results of the
Federal Housing Finance Agency’s
    Cybersecurity Act Audit

Audit Report  AUD-2016-004  August 11, 2016
The Federal Housing Finance Agency (FHFA) Office of Inspector General (OIG) issued the subject
report to FHFA management on August 11, 2016. Section 406(b) of the Cybersecurity Act of 2015
requires OIG to report to Congress the following information to be collected from FHFA on FHFA
computer systems that provide access to personally identifiable information (PII):

      A description of the logical access policies and practices used by FHFA to access each
       covered system, including whether appropriate standards were followed;

      A description and list of the logical access controls and multi-factor authentication used by
       FHFA to govern access to covered systems by privileged users;

      A description of the information security management practices used by FHFA regarding
       covered systems, including: (1) the policies and procedures followed to conduct inventories
       of the software present on FHFA’s covered systems and the licenses associated with such
       software; (2) what capabilities FHFA utilizes to monitor and detect exfiltration and other
       threats, including data loss prevention capabilities, forensics and visibility capabilities, or
       digital rights management capabilities; and (3) a description of how FHFA is using the
       aforementioned capabilities; and

      A description of FHFA’s policies and procedures with respect to ensuring that entities,
       including contractors, that provide services to FHFA are implementing the information
       security management practices referenced above.

On August 11, 2016, OIG issued this report to provide the information collected to FHFA
management and Congress. OIG is assessing whether the information in the report could be used to
circumvent FHFA’s internal controls; therefore, the report has not been released publicly. OIG
expects to complete its assessment shortly.