oversight

Kearney & Company, P.C.'s Results of the Federal Housing Finance Agency's Cybersecurity Act Audit

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-08-11.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                REDACTED


         Federal Housing Finance Agency
             Office of Inspector General




  Kearney & Company, P.C.’s
         Results of the
Federal Housing Finance Agency’s
    Cybersecurity Act Audit




Audit Report  AUD-2016-004  August 11, 2016
                                          August 11, 2016


TO:               Kevin Winkler
                  Chief Information Officer

FROM:             Marla A. Freedman /s/
                  Deputy Inspector General for Audits

SUBJECT:          Audit Report – Kearney & Company, P.C.’s Results of the Federal Housing
                  Finance Agency’s Cybersecurity Act Audit


We are pleased to transmit the subject report.

Section 406 of the Cybersecurity Act of 2015, enacted as Division N of the Consolidated
Appropriations Act, 2016, December 18, 2015,1 requires the Federal Housing Finance Agency
(FHFA) Inspector General to report to Congress the following information to be collected from
FHFA on FHFA computer systems that provide access to personally identifiable information
(PII): (a) a description of the logical access policies and practices used to access a PII system,
including whether appropriate standards were followed; (b) a description and list of the logical
access controls and multi-factor authentication used by the agency to govern access to PII
systems by privileged users; (c) a description of policies and procedures followed to detect data
exfiltration and maintain an inventory of software and licenses on the covered systems; and (d) a
description of policies and procedures to ensure that contractors and other entities providing
services to the agency implement appropriate data security management practices.

We contracted with the independent certified public accounting firm of Kearney & Company,
P.C. (Kearney) to conduct a performance audit to meet this reporting requirement. The contract
required that the audit be conducted in accordance with generally accepted government auditing
standards.

In its audit, Kearney concluded FHFA has established and implemented the required privacy
controls according to National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, for “moderate” impact systems as of June 30, 2016. Additionally, FHFA has
satisfied the NIST SP 800-53 required privacy controls for six reviewed systems and has
implemented a combination of preventive and detective security controls (e.g., network firewalls,
encryption, intrusion detection systems, etc.) to protect sensitive information such as PII.



1
    Public Law 114-113.
In connection with the contract, we reviewed Kearney’s report and related documentation and
inquired of its representatives. Our review, as differentiated from an audit in accordance with
generally accepted government auditing standards, was not intended to enable us to conclude,
and we do not conclude, on FHFA’s compliance with required privacy controls according to
NIST SP 800-53. Kearney is responsible for the attached auditor’s report dated August 11, 2016,
and the conclusions expressed in the report. However, our review found no instances where
Kearney did not comply, in all material respects, with generally accepted government auditing
standards.

Report Distribution

Federal Housing Finance Agency
   Director
   Chief of Staff
   Chief Operating Officer
   Chief Financial Officer
   Chief Information Officer
   Internal Controls and Audit Follow-up Manager

Office of Management and Budget
   Budget Examiner

United States Senate
   Chair and Ranking Members
       Committee on Appropriations, Subcommittee on Transportation, Housing and Urban
       Development, and Related Agencies
       Committee on Banking, Housing, and Urban Affairs
       Committee on Homeland Security and Governmental Affairs

U.S. House of Representatives
   Chair and Ranking Members
       Committee on Appropriations, Subcommittee on Transportation, Housing and Urban
       Development, and Related Agencies
       Committee on Financial Services
       Committee on Oversight and Government Reform
Federal Housing Finance Agency
  Office of Inspector General

         Results of FHFA’s
   Cybersecurity Act of 2015 Audit

                           August 11, 2016




                                   Point of Contact:
                               Tyler Harding, Principal
                             1701 Duke Street, Suite 500
                                Alexandria, VA 22314
                         703-931-5600, 703-931-3655 (fax)
                           Tyler.Harding@kearneyco.com
   Kearney & Company’s TIN is 54-1603527, DUNS is 18-657-6310, Cage Code is 1SJ14
                                                                                                                Federal Housing Finance Agency
                                                                                                                  Results of FHFA’s CSA Audit




                                                     TABLE OF CONTENTS
                                                                                                                                            Page

ACRONYM LISTING.................................................................................................................... i
BACKGROUND ........................................................................................................................... 3
Overview ........................................................................................................................................ 3
Results of Audit ............................................................................................................................. 4
    1.      Logical Access Policies and Practices for Covered Systems ........................................... 4
    2.      Logical and Multi-Factor Access to Covered Systems for Privileged Users ................... 5
    3.      Software Licensing and Installed Software on Covered Systems .................................... 6
    4.      Security Management Practices Used to Monitor and Detect Data Exfiltration.............. 6
    5.      Oversight of Contractor Implementation of Software Management and Data Exfiltration
            Controls ............................................................................................................................ 8
    Compensating Security Controls ............................................................................................... 8
    Summary of FHFA’s CSA Control Implementations ............................................................... 8
APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY ........................................... A-1
APPENDIX B: ASSESSMENT MATRIX................................................................................ B-1
APPENDIX C: FHFA’S MANAGEMENT RESPONSE ......................................................... C-1




     Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
ACRONYM LISTING

         Acronym                   Definition
         AD                        Active Directory
         COTS                      Commercial Off-the-Shelf
         CSA                       Cybersecurity Act of 2015
         CTS                       Correspondence Tracking System
         DLP                       Data Loss Prevention
         DRM                       Digital Rights Management
         EEX                       Employee Express
         Fannie Mae                Federal National Mortgage Association
         FHFA                      Federal Housing Finance Agency
         FHFB                      Federal Housing Finance Board
         FHLBanks                  Federal Home Loan Banks
         FHR                       Federal Human Resources
         FIPS                      Federal Information Processing Standards
                                   Federal Information Security Modernization Act
         FISMA
                                   of 2014
         Freddie Mac               Federal Home Loan Mortgage Corporation
         FY                        Fiscal Year
                                   Generally Accepted Government Auditing
         GAGAS
                                   Standards
         GSS                       General Support System
         HERA                      Housing and Economic Recovery Act of 2008
         iComplaints               MicroPact iComplaints
         ID                        Identification
         IT                        Information Technology
         JPP                       Job Performance Plan
         Kearney                   Kearney & Company, P.C.
         NIST                      National Institute of Standards and Technology
         N/A                       Not Applicable
         OFHEO                     Office of Federal Housing Enterprise Oversight
         OIG                       Office of Inspector General
         OHRM                      Office of Human Resources Management
         OMB                       Office of Management and Budget
         OPM                       Office of Personnel Management
         OS                        Operating System
                                   Office of Technology and Information
         OTIM
                                   Management
         P.L.                      Public Law
         PII                       Personally Identifiable Information
         PIN                       Personal Identification Number
         PIV                       Personal Identity Verification
         POA&M                     Plans of Action and Milestones


  Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                             i
       Acronym                   Definition
       PUB                       Publication
       Rev.                      Revision
       SA&A                      Security Assessment and Authorization
       SAR                       Security Assessment Report
       SORN                      Systems Of Records Notice
       SP                        Special Publication
       SSN                       Social Security Number
       SSP                       System Security Plan
       U.S.                      United States




Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                           ii
COVER LETTER
August 11, 2016


The Honorable Laura S. Wertheimer
Inspector General
Federal Housing Finance Agency
400 7th Street SW
Washington, D.C. 20024


Dear Inspector General Wertheimer:

Kearney & Company, P.C. (defined as “Kearney,” “we,” and “our” in this report) is pleased to
provide this Cybersecurity Act of 2015 (CSA) Audit Report, which details the results of our
audit of the Federal Housing Finance Agency’s (FHFA or Agency) implementation of specific
security and privacy controls as directed by Section 406, Federal Computer Security, of the
CSA. Section 406 requires the FHFA Inspector General to report on FHFA’s logical access
controls, data exfiltration protections, and other policies and procedures governing the protection
of personally identifiable information (PII) data within covered systems.2 The FHFA Office of
Inspector General (OIG) contracted with Kearney to conduct this independent audit as a
performance audit under generally accepted government auditing standards (GAGAS).

The objective of this audit was to report information to the United States Congress detailing
FHFA’s establishment and implementation of logical access, software management, and data
exfiltration controls on covered systems. Kearney’s methodology for the FY 2016 CSA
evaluation included an assessment of six FHFA information systems for compliance with
selected controls from the National Institute of Standards and Technology (NIST) Special
Publication (SP) 800-53, Revision (Rev.) 4, Security and Privacy Controls for Federal
Information Systems and Organizations, found in Appendix J: Privacy Control Catalog.

We conducted this performance audit in accordance with GAGAS. Those standards require that
we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on our
audit objectives.




2
  The CSA defines a “covered agency” as an agency operating a covered system. A “covered system” refers to
a national security system as defined in Section 11103 of Title 40, United States Code (U.S.C.), or a Federal
computer system that provides access to PII. The full text is available at https://www.congress.gov/bill/114th-
congress/house-bill/2029/text in Division N. (Accessed by Kearney July 22, 2016)


    Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                        1
Based on our audit work, we concluded that FHFA has established and implemented the required
privacy controls according to NIST SP 800-53 for “moderate” impact systems as of June 30, 2016.
In particular, strengths of the Privacy Program included the following:

   1. Completed and published system of record notices (SORN) and privacy impact
      assessments for the six sampled information systems
   2. Evidence of oversight for third-party information systems containing PII
   3. Inclusion of privacy-based requirements in contracts with service providers
   4. Privacy monitoring and auditing of privacy-related controls
   5. Privacy awareness and training.

FHFA has satisfied the NIST SP 800-53 required privacy controls for the six reviewed systems
and has implemented a combination of preventive and detective security controls (e.g., network
firewalls, encryption, intrusion detection systems, etc.) to protect sensitive information such as
PII. We encourage FHFA to continue to evaluate technical solutions promoted by the CSA, such
as data loss prevention tools to strengthen FHFA’s protection of privacy data over its covered
systems. Detailed observations are included in the Results section of this report. The projection
to future periods of any conclusions based on our findings is subject to the risk that controls may
become inadequate due to changes in conditions or the deterioration of compliance with controls.

In closing, we appreciate the courtesies extended to the Kearney Audit Team by FHFA during this
engagement.



Sincerely,




Kearney & Company, P.C.
August 11, 2016




   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                               2
                                                                          Federal Housing Finance Agency
                                                                            Results of FHFA’s CSA Audit




BACKGROUND

Overview
On July 30, 2008, FHFA was established by the Housing and Economic Recovery Act of 2008
(HERA), Public Law (P.L.) No. 110-289. HERA abolished two existing Federal agencies, the
Office of Federal Housing Enterprise Oversight (OFHEO) and the Federal Housing Finance
Board (FHFB), and created FHFA to regulate the Federal National Mortgage Association
(Fannie Mae), the Federal Home Loan Mortgage Corporation (Freddie Mac), the 11 Federal
Home Loan Banks (FHLBanks), and the FHLBanks Office of Finance.

FHFA is an independent Federal agency with a Director appointed by the President and
confirmed by the United States (U.S.) Senate. The Agency’s mission is to provide effective
supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, and the 11
FHLBanks, in addition to the FHLBanks Office of Finance. FHFA is a non-appropriated, non-
apportioned agency that draws its financial resources from assessments on Fannie Mae, Freddie
Mac, and the 11 FHLBanks.

In June 2015, the Office of Personnel Management (OPM) announced that hackers had exploited
inadequate controls to gain system access and steal Social Security Numbers (SSN) and other
personal information in background investigation files. Following the data breach at OPM, the
Office of Management and Budget (OMB) directed Federal agencies to immediately take
corrective actions. In light of this breach and other attacks targeting government systems, there
is an increased need for protection of sensitive Federal data.

Cybersecurity Act of 2015
The Cybersecurity Act of 2015, included as Division N of the 2016 Consolidated Appropriations
Act, directs Inspectors General of agencies operating Federal computer systems that provide
access to PII, to submit a report to the U.S. Congress, which shall include the following
information collected from the agency:

   1. A description of the logical access policies and practices used to access a PII system,
      including whether appropriate standards were followed
   2. A description and list of the logical access controls and multi-factor authentication
      used by the agency to govern access to PII systems by privileged users
   3. A description of policies and procedures followed to detect data exfiltration and
      maintain an inventory software and licenses on the covered systems
   4. A description of policies and procedures to ensure that contractors and other entities
      providing services to the agency implement appropriate data security management
      practices.




   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                3
                                                                         Federal Housing Finance Agency
                                                                           Results of FHFA’s CSA Audit




NIST Security Standards and Guidelines
NIST provides standards and guidelines pertaining to Federal information systems. The
standards prescribe information security requirements necessary to improve the security, privacy,
and overall protection of Federal information and information systems. Federal agencies must
comply with NIST’s Federal Information Processing Standards (FIPS) and Special Publications
(SP) as recommended guidance documents.

Results of Audit
Kearney found that FHFA has satisfied required security and privacy controls for the six sampled
covered systems. In addition, FHFA has implemented controls to protect against cyber-attacks
originating from foreign countries.

1.       Logical Access Policies and Practices for Covered Systems
To properly manage the identification and authentication of authorized users, an organization’s
first step is to document and implement the logical access policies and practices that form the
basis of how users will connect to the organization’s network and internal and external systems.
Logical access is wide-ranging and requires organizations to consider such topics as enforcement
of secure passwords, uniquely identifying users, and providing users with only the access needed
to complete job responsibilities. FHFA has documented and implemented such logical access
policies and procedures. Specifically, our audit confirmed the following:

      Account Provisioning Controls:
       - System managers and security personnel create and configure network and
          system accounts to uniquely identify user accounts, only allowing access to data
          to perform applicable job functions. Roles are implemented to prevent general
          users from accessing administrative functions and system accounts are reviewed
          to identify inactive users.
      Password Complexity and Security:
       - FHFA system policy ensures passwords are sufficiently complex to prevent easy
          guessing. Complexity configurations include minimum length, as well as
          requirements for uppercase and lowercase letters, numerals, and special
          characters.
       - When authenticating to the system, FHFA systems obscure authenticators
          (whether passwords or personal identification number [PIN] codes) to prevent an
          unauthorized party from viewing the password when entered.
      Functional Responsibilities
       - FHFA has documented the Agency roles responsible for ensuring that controls
          are in place and operating effectively. This includes FHFA system owners
          performing reviews of user authorizations and privilege levels, as well as
          managers following FHFA procedures for obtaining and removing access to
          information resources for assigned staff.

For information systems hosted by other organizations, FHFA’s information security staff
reviews the external system’s security assessment and authorization (SA&A) packages prior to
authorizing FHFA use to ensure that they meet the minimum requirements of the FHFA SA&A

   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                4
                                                                         Federal Housing Finance Agency
                                                                           Results of FHFA’s CSA Audit




process. Through this review, they confirm that the external system complies with FHFA’s
requirements for logical access.

2.       Logical and Multi-Factor Access to Covered Systems for Privileged Users
Multi-factor authentication requires the use of two or more different factors to achieve
authentication. The factors are defined as: 1) something you know (e.g., password, PIN);
2) something you have (e.g., cryptographic identification device, token); or 3) something you are
(e.g., biometric). Implementing multi-factor authentication controls for users with elevated
access to sensitive data reduces risk that an attack using a compromised user ID and password
would be successful. Kearney observed users log into six covered systems and documented the
technologies implemented to authenticate privileged and traditional end-users.

         System              Authentication Method                 Additional Details
 Correspondence                                          CTS is only accessible through the
 Tracking System (CTS)                                   FHFA network, which requires two-
                                                         factor authentication upon desktop
                                                         start.
 FOIAXpress                                              The system is custom software
                                                         designed for Federal use, but the
                                                         system vendors has not implemented

                                                         authentication capability. As a
                                                         compensating control, the system is
                                                         only accessible by users on the FHFA
                                                         network, which requires two-factor
                                                         authentication upon desktop start.
 Merit Central/Job                                       Users access the system via web
 Performance Plan (JPP)                                  browser and authentication occurs in
                                                         the background without the need for
                                                         entering a separate user ID and
                                                         password (e.g., single sign-on).
 FHR Navigator                                           A one-time passcode is sent via text
                                                         message to users accessing via user ID
                                                         and password.

 iComplaints:                                            This is a Commercial Off-the-Shelf
                                                         (COTS) product that has not

                                                         for privileged and general users.
 EmployeeExpress                                         FHFA users do not have privileged
 (EEX)                                                   accounts on EEX. FHFA
                                                         management noted that OPM has
                                                         implemented two-factor authentication
                                                         for internal users that administer the
                                                         system and plans to expand two-factor

   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                5
                                                                            Federal Housing Finance Agency
                                                                              Results of FHFA’s CSA Audit




         System              Authentication Method                  Additional Details
                                                          authentication to external users at a
                                                          future date.
 Administrative Access                                    Administrator accounts are tied to
 to FHFA servers hosting
 covered systems                                          authentication.

3.      Software Licensing and Installed Software on Covered Systems
It is important that organizations have the ability to document the current state of the software
installed, authorized, and used on devices that access systems and data. A current and
comprehensive software inventory assists with ensuring organizations know which patches and
software updates are needed to minimize software vulnerabilities, as well as what software
configurations are necessary to comply with established configuration baselines.

FHFA demonstrated its ability to monitor and perform a software inventory on the sampled
covered systems and confirm that all software licenses for the internal systems reviewed (CTS,
Merit Central/JPP, and FOIAXpress) were properly licensed. Specifically, FHFA’s System
Security Plan (SSP) included the servers, hardware components, operating system (OS) and
version, database and version, and installed software and version information. The Audit Team
observed information technology (IT) management review the installed software on the servers
maintaining the source code libraries for the systems and compared this information to the
respective SSPs, without exception.

The inventory of software installed on two internal servers hosting three applications was
consistent with their SSPs. Regarding installation of security patches for deployed software,
FHFA’s Vulnerability Assessment process includes a weekly scan of servers and desktops and
identifies servers and desktops that are not fully patched. FHFA has documented procedures for
tracking software licenses and ensuring that non-approved software installed on systems is
removed. FHFA’s system administrators use Microsoft licensing tools to automate the
monitoring of versions and planning for future needs based on expected usage. During our audit,
system administrators demonstrated the process for ensuring that Microsoft OS, virtual servers,
and user software are current and supported by the vendor.

4.     Security Management Practices Used to Monitor and Detect Data Exfiltration
The CSA identifies the following technical solutions (in bold) that assist in preventing
unauthorized transfer of sensitive data outside of organizational control:

      Data Loss Prevention (DLP) technologies - DLP technologies are generally
       content-aware solutions that can monitor for sensitive data (e.g., SSN, bank account
       numbers, etc.) in motion by inspecting network communications, such as e-mail,
       Instant Messaging, web, file transfers, and peer-to-peer communication. Automated
       systems can block the information transfer if it violates a data security policy or by
       encrypting the data for secure exchange while not interfering with legitimate
       business.


   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                6
                                                                                            Federal Housing Finance Agency
                                                                                              Results of FHFA’s CSA Audit




                         Forensic technologies - Forensic technologies are used to gather evidence of an
                          incident through the identification, collection, examination, and analysis of data,
                          while preserving the integrity of the information and maintaining a strict chain of
                          custody for the data.
                         Digital Rights Management (DRM) technologies - DRM technologies are
                          implemented to manage the trusted distribution and control of protected content to
                          users and devices authorized by an organization. Typical DRM solutions include a
                          combination of technologies (e.g., encryption, digital watermarking) and policies
                          (e.g., location restrictions, authorized access times).

Addressed as part of the entity-wide controls, FHFA has documented and implemented specific
data exfiltration prevention capabilities, including DLP and forensic technology to provide
visibility over sensitive data traversing its network. The FHFA General Support System (GSS)
Information Security Architecture document notes the implementation of a secured email
solution to protect sensitive data from being sent outside the agency unencrypted. The FHFA
GSS SSP notes that systems and audit log applications are configured to produce audit records
that contain sufficient information to establish what events occurred, the sources of the events,
and the outcomes of the events.

                                       DLP                 Forensics and Visibility             DRM
                            FHFA’s secure email           FHFA relies on firewall/     FHFA has not implemented
 Implementation




                            solution automatically        Intrusion Prevention         DRM capabilities.
                            encrypts e-mails from         System (IPS) logs and
     FHFA




                            leaving FHFA network          third-party forensic case
                            with PII.                     management software for
                                                          network and endpoint
                                                          forensic investigation,
                                                          respectively.
                            The solution automatically    FHFA implemented audit       FHFA noted that DRM is
     Additional Details




                            recognizes plaintext          monitoring controls on the   not required by NIST SP
                            communicated in the body      FHFA GSS based on            800-53 for moderate
                            of the message and/or in      NIST SP 800-53, Audit        impact systems. Further,
                            attachments that meet         and Accountability control   FHFA stated the resources
                            predefined policies,          family.                      required to implement,
                            including SSN, financial                                   manage, and maintain a
                            identifiers and health care                                DRM solution exceeded
                            identifiers.                                               expected benefits.




      Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                   7
                                                                           Federal Housing Finance Agency
                                                                             Results of FHFA’s CSA Audit




5.      Oversight of Contractor Implementation of Software Management and Data
        Exfiltration Controls
Agencies benefit from the economies of scale in reusing Government-ready platforms that
provide similar services across multiple agencies. With the potential benefits, agencies must
establish processes to ensure adequate security of the external entities and their information
system. In this regard, we determined that FHFA periodically performs a review of the SA&A
documents made available through the Federal Risk and Authorization Management Program
(FedRAMP) or from the external system management. FHFA IT personnel can examine the
external systems’ SSP and confirm the implementation of specific security controls, such as
DLP, forensics capability, and software and license management. Reviewing the Security
Assessment Reports (SAR) and resulting Plans of Action and Milestones (POA&M), FHFA can
confirm the operating effectiveness of specific security controls. For each external system,
FHFA reviews and concludes on compliance with FHFA’s requirements and the external
systems’ suitability to host FHFA data prior to use by FHFA. FHFA does not require its external
systems to implement DLP, forensic technologies, or DRM, as these controls are not required by
NIST SP 800-53 or added to a system’s moderate security baseline.

Compensating Security Controls
FHFA management stated that while they have not implemented DRM technologies, they have
taken other steps to prevent the loss of sensitive information, such as PII. These additional
security measures include encrypting specific PII data fields at rest in FHFA databases
              . FHFA’s firewall also blocks unsolicited inbound packets from a number of
nations outside of the United States and plans to expand this filtering control to block all inbound
and outbound traffic to non-U.S. Internet Protocol (IP) addresses. FHFA mobile devices utilize
full disk encryption and Universal Serial Bus (USB) ports are restricted to prevent the export of
FHFA data to external storage devices.

Summary of FHFA’s CSA Control Implementations
FHFA has implemented security and privacy policies, procedures, and supporting technology to
protect PII. Below is a summary of key practices requested by the CSA.

     1. Logical Access Policies and Practices for Covered Systems
        FHFA has documented and implemented logical access policies and practices that were
        consistent with OMB policy and applicable NIST guidelines for the six selected systems.
     2. Logical and Multi-Factor Access to Covered Systems for Privileged Users
        FHFA has employed logical access controls for covered systems consistent with policies
        and procedures and requires system administrators to use multi-factor authentication to
        access internal system resources.
     3. Software Licensing and Installed Software on Covered Systems
        FHFA manages installed software for covered systems and ensures that software is
        properly licensed. FHFA has an automated means to monitor and track versions and
        licenses used. All server software is current and supported by the vendor.
     4. Security Practices Used to Monitor and Detect Data Exfiltration
        FHFA has automated means to encrypt and securely deliver e-mail containing PII and
        financial information. FHFA relies on firewall logs and forensic case management

     Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                  8
                                                                      Federal Housing Finance Agency
                                                                        Results of FHFA’s CSA Audit




   software for network and endpoint forensic investigation, respectively. Network devices,
   such as servers and routers, transmit their security logs to a centralized audit logging
   solution to facilitate audit log analysis and comply with specific NIST SP 800-53
   auditing controls. FHFA management has not implemented DRM solutions as they are
   not a requirement for moderate-risk, non-national security systems.
5. Oversight of Contractor Implementation of Software Management and Data
   Exfiltration Controls
   FHFA reviews the security assessments and authorization documents of externally hosted
   systems and services. It is important to note that while a review of an external systems’
   SSP and POA&Ms would identify issues with audit monitoring and software inventory
   and license management, this review does not include assessments of data loss
   prevention, forensic technologies, or DRM capabilities (unless specifically detailed), as
   these controls are not required in a system’s “moderate” baseline under NIST SP 800-53
   Rev. 4 controls.
6. CSA-Related Privacy Program Controls
   To verify that PII is being managed and protected in compliance with Federal
   requirements, Kearney interviewed FHFA privacy officials and reviewed documentation
   of FHFA’s Privacy Program for controls related to the CSA’s focus areas. On a sample
   basis, we confirmed that FHFA has implemented required privacy controls found in
   NIST SP 800-53, Appendix J: Privacy Control Catalog. Please refer to Appendix A for
   complete details of tested controls.




Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                             9
APPENDIX A: OBJECTIVE, SCOPE, AND METHODOLOGY

The objective of this performance audit was to report information to the U.S. Congress detailing
the Federal Housing Finance Agency’s (FHFA) establishment and implementation of logical
access, software management, and data exfiltration controls on covered systems. Kearney &
Company, P.C.’s (Kearney) methodology for this audit included an assessment of six FHFA
information systems for compliance with selected controls from the National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-53, Revision (Rev.) 4, Security
and Privacy Controls for Federal Information Systems and Organizations, found in Appendix J:
Privacy Control Catalog.

Kearney conducted our performance audit in accordance with Generally Accepted Government
Auditing Standards (GAGAS). Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusion. Our CSA approach, which is based on NIST
SP 800-53, Rev. 4 and the CSA, employed the interview and inspection assessment methods.

Kearney’s audit program included procedures to test and report on: 1) five Section 406
requirements, as identified in the CSA, and 2) a selection of NIST SP 800-53, Rev. 4 privacy
controls. See Table 1 and Table 2.

                           Table 1: CSA, Section 406 Requirements

     APG #                                 Section 406 Requirements

                   Description of the logical access policies and practices used by the covered
       1.0         agency to access a covered system, including whether appropriate standards
                   were followed.
                   Description and list of the logical access controls and multi-factor
       2.0         authentication used by the covered agency to govern access to covered
                   systems by privileged users.
                   Description of the reasons for not using logical access controls or multi-
       3.0
                   factor authentication (if not used for connecting to a covered system).
                   Description of policies and procedures followed to conduct inventories of
       4.1         the software present on the covered systems of the covered agency and the
                   licenses associated with such software.
                   Description of what capabilities the covered agency utilizes to monitor and
                   detect exfiltration and other threats, including:
       4.2             a. Data Loss Prevention (DLP) capabilities
                       b. Forensics and visibility capabilities
                       c. Digital Rights Management (DRM) capabilities.
                   Description of how the covered agency is using the data exfiltration
       4.3
                   capabilities in clause 4.2.



   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                               A-1
  APG #                                  Section 406 Requirements

                If the covered agency is not utilizing data exfiltration (i.e., prevention)
    4.4         capabilities described in clause 4.2, a description of the reasons for not
                utilizing such capabilities.
                Description of the policies and procedures of the covered agency with
                respect to ensuring that entities, including contractors, that provide services
    5.0
                to the covered agency are implementing the information security
                management practices described in parts 4.1-4.4 above.




Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                            A-2
              Table 2: NIST SP 800-53, Rev. 4, Appendix J: Privacy Controls
  Control # and Name                               Privacy Control
AR-1                      The organization:
Governance and Privacy       a. Appoints a Senior Agency Official for Privacy
Program                          (SAOP)/Chief Privacy Officer (CPO) accountable for
                                 developing, implementing, and maintaining an
                                 organization-wide governance and privacy program to
                                 ensure compliance with all applicable laws and regulations
                                 regarding the collection, use, maintenance, sharing, and
                                 disposal of PII by programs and information systems.
                             b. Monitors Federal privacy laws and policy for changes that
                                 affect the privacy program.
                             c. Allocates [Assignment: organization-defined allocation of
                                 budget and staffing] sufficient resources to implement and
                                 operate the organization-wide privacy program.
                             d. Develops a strategic organizational privacy plan for
                                 implementing applicable privacy controls, policies, and
                                 procedures.
                             e. Develops, disseminates, and implements operational
                                 privacy policies and procedures that govern the
                                 appropriate privacy and security controls for programs,
                                 information systems, or technologies involving PII.
                             f. Updates privacy plan, policies, and procedures
                                 [Assignment: organization-defined frequency, at least
                                 biennially].
AR-2                      The organization:
Privacy Impact and Risk      a. Documents and implements a privacy risk management
Assessment                       process that assesses privacy risk to individuals resulting
                                 from the collection, sharing, storing, transmitting, use, and
                                 disposal of PII
                             b. Conducts Privacy Impact Assessments (PIA) for
                                 information systems, programs, or other activities that
                                 pose a privacy risk in accordance with applicable law,
                                 OMB policy, or any existing organizational policies and
                                 procedures.
AR-3                      The organization:
Privacy Requirements for     a. Establishes privacy roles, responsibilities, and access
Contractors and Service          requirements for contractors and service providers
Providers                    b. Includes privacy requirements in contracts and other
                                 acquisition-related documents.




  Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                              A-3
  Control # and Name                                 Privacy Control
AR-4                        The organization:
Privacy Monitoring and         a. Implements a method to audit privacy controls on a regular
Auditing                           basis
                               b. Implements a process to embed privacy considerations into
                                   the life cycle of PII, programs, and systems
                               c. Monitor systems that maintain PII
                               d. Ensure access to PII is limited to privileged users
AR-5                        The organization:
Privacy Awareness and          a. Develops, implements, and updates a comprehensive
Training                           training and awareness strategy aimed at ensuring that
                                   personnel understand privacy responsibilities and
                                   procedures
                               b. Administers basic privacy training [Assignment:
                                   organization-defined frequency, at least annually] and
                                   targeted, role-based privacy training for personnel having
                                   responsibility for PII or for activities that involve PII
                                   [Assignment: organization-defined frequency, at least
                                   annually]
                               c. Ensures that personnel certify, manually or electronically,
                                   acceptance of responsibilities for privacy requirements
                                   [Assignment: organization-defined frequency, at least
                                   annually].
SE-1                        The organization:
Inventory of Personally        a. Establishes, maintains, and updates [Assignment:
Identifiable Information           organization-defined frequency] an inventory that contains
                                   a listing of all programs and information systems
                                   identified as collecting, using, maintaining, or sharing PII
                               b. Provides each update of the PII inventory to the Chief
                                   Information Officer (CIO) or information security official
                                   [Assignment: organization-defined frequency] to support
                                   the establishment of information security requirements for
                                   all new or modified information systems containing PII.
SE-2                        The organization:
Privacy Incident               a. Develops and implements a Privacy Incident Response
Response                           Plan
                               b. Provides an organized and effective response to privacy
                                   incidents in accordance with the organizational Privacy
                                   Incident Response Plan.




  Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                              A-4
      Control # and Name                                      Privacy Control
    TR-2                          The organization:
    System of Records                a. Publishes System of Records Notices (SORN) in the
    Notices and Privacy Act              Federal Register, subject to required oversight processes,
    Statements                           for systems containing PII
                                     b. Keeps SORNs current
                                     c. Includes Privacy Act Statements on its forms that collect
                                         PII, or on separate forms that can be retained by
                                         individuals, to provide additional formal notice to
                                         individuals from whom the information is being collected.

Kearney’s overarching rationale and approach to the system selection process was to select
systems for testing that would address requirements identified in the CSA. Based on our review
of prior-year Federal Information System Modernization Act of 2014 (FISMA)3 audit
documentation and analysis of FHFA’s system inventory documentation, we selected a sample
of information systems using the following criteria:

         Systems that contain sensitive PII data
         Systems with moderate impact FIPS 199 categorization
         An even distribution of internal and external PII systems
         Sample size is a selection of 25% of the total number of PII systems.

Based on these criteria, Kearney selected six systems for testing, as listed in Table 3.

                       Table 3: FHFA Systems Selected for Assessment
        Covered                                                     FIPS PUB 199
                                     Description                                                Owner
     System Name                                                    Categorization
                   The purpose of the system is to capture and
                   track correspondence that FHFA receives from
                   external sources. The system captures
                   information on the sender and the nature of the
    Correspondence
                   correspondence (e.g., name; property, home,
    Tracking                                                          Moderate                  FHFA
                   and business address; e-mail address; telephone
    System (CTS)
                   numbers; and other personal and contact
                   information). The system helps ensure that
                   FHFA responds to the inquiry in a timely and
                   accurate manner.
                   The purpose of the system is to assist FHFA in
                   receiving, processing, and tracking Freedom of
    FOIAXpress                                                        Moderate                  FHFA
                   Information Act (FOIA) and Privacy Act
                   requests from the public.
                   The system is an automated tool that facilitates
    Merit Central/
                   the annual FHFA-wide merit increase and            Moderate                  FHFA
    Job
                   Performance-Based Bonus (PBB) decision-

3
    Kearney performed the prior year (2015) FISMA audit of FHFA under contract with FHFA OIG.

      Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                                  A-5
    Covered                                                            FIPS PUB 199
                                     Description                                        Owner
  System Name                                                          Categorization
 Performance       making and processing, as well as to conduct
 Plan (JPP)        salary planning determinations. The system is
                   an internal system developed in close
                   conjunction between the Office of Human
                   Resources Management (OHRM) and the
                   Office of Technology and Information
                   Management (OTIM).
                   The purpose of the automated system is to
 Employee          enable employees to manage their own
                                                                         Moderate       External
 Express (EEX)     discretionary payroll and personnel
                   transactions.
                   The purpose of the system is to automate
 Federal Human     Federal human resources functions within a
 Resources         single platform. It is a suite of web-based
                                                                         Moderate       External
 (FHR)             software tools that is supported by a centralized
 Navigator         database to facilitate the strategic management
                   of human capital within the Federal workplace.
                   The system is used to track, manage, and report
                   on Equal Employment Opportunity (EEO)
 MicroPact         complaints. Information collected is kept
                                                                         Moderate       External
 iComplaints       confidential for use during the alternate dispute
                   resolution process. Additionally, data is used
                   to create statistical reports.

Kearney performed fieldwork for the FHFA CSA audit from May to July of 2016. Throughout
the CSA audit, we met with FHFA management to discuss preliminary observations. Kearney’s
work in support of the audit was guided by applicable FHFA policies and Federal criteria,
including the following:

   1.  Privacy Act of 1974, 5 United States Code (U.S.C.) § 552
   2.  FISMA
   3.  E-Government Act of 2002 (Public Law [P.L.] 107-347)
   4.  Section 406, CSA
   5.  Federal Acquisition Regulation (FAR), 48 C.F.R. Part 24
   6.  OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining
       Records About Individuals
   7. OMB Memorandum M-03-22, Guidance for Implementing the Privacy Provisions of the
       E-Government Act of 2002
   8. OMB Memorandum M-05-08, Designation of Senior Agency Officials for Privacy
   9. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of
       Personally Identifiable Information
   10. OMB Memorandum M-06-16, Protection of Sensitive Agency Information
   11. OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and
       Applications

   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                               A-6
12. OMB Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and Activities of
    the Executive Office of the President and the Department of Homeland Security
13. NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to
    Federal Information Systems; A Security Life Cycle Approach
14. NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems
    and Organizations
15. NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems
    and Organizations, Appendix J: Privacy Control Catalog
16. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
    Information (PII)
17. Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for
    Security Categorization of Federal Information and Information Systems
18. FIPS PUB 200, Minimum Security Requirements for Federal Information and
    Information Systems.
19. FHFA, General Support Systems (GSS) Information Security Architecture
20. FHFA, Security Awareness and Training Procedures
21. FHFA, Information Security Incident Response Plan
22. FHFA, Procedures for Monitoring of Information Technology Systems that Contain
    Personally Identifiable Information
23. FHFA, Security Assessment and Authorization Procedure
24. FHFA, Identification and Authentication Standard
25. FHFA, Access Control Standard
26. FHFA, Privacy Program Plan




Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                            A-7
APPENDIX B: ASSESSMENT MATRIX
The purpose of the matrix below is to identify the Cybersecurity Act of 2015 (CSA)
questions and National Institute of Standards and Technology (NIST) Special Publication
(SP) 800-53, Revision (Rev.) 4, Appendix J security control(s) and detail if the testing
performed touched on general controls or applications selected for assessment.

                          General
                                                      Application Controls
                          Control
      CSA/NIST
                                       FHFA Internal Systems         External Systems (EEX,
      Questions
                            GSS         (CTS, FOIAXpress,               FHR Navigator,
                                        Merit Central/JPP)                iComplaints)
 1. CSA, Section 406:
 Logical Access              X                   X                             X
 Policy and Practices
 2. CSA, Section 406:
 Logical Access
                             X                   X                             X
 Multi-Factor
 Authentication
 3. CSA, Section 406:
 Software and License        X                   X                   Not Applicable (N/A)
 Inventories
 4. CSA, Section 406:
                             X                  N/A                           N/A
 Data Exfiltration
 5. CSA, Section 406:
 3rd Party Information       X                  N/A                            X
 Security Oversight
 6. Governance and
                             X                  N/A                           N/A
 Privacy Program
 7. Privacy Impact and
                             X                   X                             X
 Risk Assessment
 8. Contractor Privacy
                             X                  N/A                            X
 Requirements
 9. Monitoring/
                             X                   X                            N/A
 Auditing
 10. Training                X                  N/A                           N/A
 11. System Inventory        X                   X                             X
 12. Incident
                             X                   X                             X
 Response
 13. SORNs/Privacy
                             X                   X                             X
 Act Statements




   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                               B-1
                                                                        Federal Housing Finance Agency
                                                                          Results of FHFA’s CSA Audit




APPENDIX C: FHFA’s MANAGEMENT RESPONSE




  Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016
                                              C-1
ADDITIONAL INFORMATION AND COPIES


For additional copies of this report:

      Call: 202-730-0880

      Fax: 202-318-0239

      Visit: www.fhfaoig.gov



To report potential fraud, waste, abuse, mismanagement, or any other kind of criminal or
noncriminal misconduct relative to FHFA’s programs or operations:

      Call: 1-800-793-7724

      Fax: 202-318-0358

      Visit: www.fhfaoig.gov/ReportFraud

      Write:

                FHFA Office of Inspector General
                Attn: Office of Investigations – Hotline
                400 Seventh Street SW
                Washington, DC 20219




   Federal Housing Finance Agency Office of Inspector General • AUD-2016-004 • August 11, 2016