Advanced search Help
Searching for terms: EXACT: "United States. Federal Housing Finance Agency. Office of Inspector General" in: publisher
Clear all search criteria
Only 2/3! You are seeing results from the Public Collection, not the complete Full Collection. Sign in to search everything (see eligibility).
-
Compliance Review of DBR's Assessment and Documentation of Critical Cybersecurity Controls in Examinations of the FHLBank System
From the Executive Summary: "The Federal Housing Finance Agency (FHFA or Agency) is charged by the Housing and Economic Recovery Act of 2008 (HERA) with oversight of the Federal National Mortgage Association, the Federal Home Loan Mortgage Corporation, and the Federal Home Loan Bank (FHLBank) System (collectively, the regulated entities). The FHLBank System consists of 11 FHLBanks and the Office of Finance. Its mission is to provide reliable liquidity to member institutions to support housing finance and community investment. FHFA has identified that one priority for its supervisory activities is assessing the regulated entities' cybersecurity programs. [...] Our February 2016 audit found that FHFA's Division of Federal Home Loan Bank Regulation (DBR) examinations generally did not assess the design of the FHLBanks' vulnerability scans and penetration tests when evaluating those controls' operational effectiveness. We made two recommendations to address this shortcoming, both of which FHFA accepted [...]. In March 2021, we initiated this compliance review to determine whether DBR documented assessments of the design of vulnerability scans and penetration tests when it examined the operational effectiveness of those controls during its examinations of FHLBanks and the Office of Finance between April 1, 2019, and December 31, 2020 (review period). We found that, in every instance, DBR examiners documented such assessments. Based upon these findings, we are closing the re-opened recommendation that examiners document assessments of the design of vulnerability scans and penetration tests when examining the operational effectiveness of these controls."
United States. Federal Housing Finance Agency. Office of Inspector General
Berry, Karen E.; Wilson, Patrice
2021-06-15
-
FHFA's 2019 Disaster Recovery Exercise of Its General Support System Was Conducted as Planned, but Its Disaster Recovery Procedures Were Missing Certain Required Elements and Included Outdated Information
From the Executive Summary: "The Federal Housing Finance Agency (FHFA or Agency), established by the Housing and Economic Recovery Act of 2008, is responsible for the supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, and the Federal Home Loan Bank System. Pursuant to the Federal Information Security Modernization Act of 2014 (FISMA) and National Institute of Standards and Technology (NIST) guidance, agencies must establish, maintain, and implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. Agencies must also periodically test and evaluate their information security policies, procedures, and practices."
United States. Federal Housing Finance Agency. Office of Inspector General
2020-03-23
-
FHFA Failed to Ensure Freddie Mac's Remedial Plans for a Cybersecurity MRA Addressed All Deficiencies; as Allowed by Its Standard, FHFA Closed the MRA After Independently Determining the Enterprise Completed Its Planned Remedial Actions (Redacted)
From the Executive Summary: "The Federal Housing Finance Agency (FHFA) is charged with ensuring that the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises) operate in a safe and sound manner. Within FHFA, the Division of Enterprise Regulation (DER) is responsible for the supervision of the Enterprises. […] This audit is a follow-on to our audit report 'FHFA Did Not Complete All Planned Supervisory Activities Related to Cybersecurity Risks at Freddie Mac for the 2016 Examination Cycle' (AUD-2017-011) (September 27, 2017). In that audit, we found that for the 2016 examination cycle, DER completed four of the six cybersecurity-related supervisory activities it planned, one of which was an ongoing monitoring activity on Freddie Mac's efforts to remediate the above cybersecurity-related MRA [Matter Requiring Attention]. We are building upon our previous audit work to determine, for this MRA closed in 2016, whether FHFA examiners followed existing requirements in issuing 'non-objection' letters to Freddie Mac's remedial plans and in independently verifying Freddie Mac's implementation of its remediation plans."
United States. Federal Housing Finance Agency. Office of Inspector General
2018-03-28
-
FHFA Failed to Complete Non-MRA Supervisory Activities Related to Cybersecurity Risks at Fannie Mae Planned for the 2016 Examination Cycle (Redacted)
From the Executive Summary: "The Federal Housing Finance Agency (FHFA) is charged with ensuring that the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises) operate in a safe and sound manner. Within FHFA, the Division of Enterprise Regulation (DER) is responsible for the supervision of the Enterprises. [...] We performed this audit to address two objectives. First, we sought to determine whether the supervisory activities planned by DER relating to Fannie Mae's cybersecurity risks for the 2016 examination cycle addressed the cybersecurity risks highlighted in its risk assessment and supervisory strategy, applying the standard adopted by FHFA. [...] Second, we sought to determine whether such planned supervisory activities for the 2016 examination cycle were completed during that cycle in light of FHFA's representations in its 2015 PAR [Performance and Accountability Report] that 'a key objective of FHFA's supervisory work' during 2016 would be oversight of how Fannie Mae managed its cyber risk and addressed vulnerabilities."
United States. Federal Housing Finance Agency. Office of Inspector General
2017-09-27
-
FHFA's Offboarding Controls Over Access Cards, Sensitive IT Assets, and Records Were Not Always Documented or Followed During 2016 and 2017
From the Executive Summary: "The Federal Housing Finance Agency (FHFA or Agency) was established by the Housing and Economic Recovery Act of 2008 and is responsible for the supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, and the Federal Home Loan Bank System. Since September 2008, it has also served as the conservator for Fannie Mae and Freddie Mac. FHFA is an independent agency with a workforce, as of December 31, 2017, of 603 that included examiners; economists; financial and policy analysts; attorneys; subject matter experts in banking, insurance, technology, accounting, and legal matters; and support personnel. When employees separate from FHFA, they are required to go through an 'offboarding' process, which has several elements. FHFA developed offboarding processes to collect from separating employees and departing contractor employees: (a) access cards issued by FHFA and by the Enterprises; (b) sensitive information technology (IT) assets; and (c) Agency records. [...] This report sets forth findings from our assessment of the adequacy of FHFA's controls over its offboarding processes for facility access cards, sensitive IT assets, and Agency records for two calendar years, 2016 and 2017 (review period)."
United States. Federal Housing Finance Agency. Office of Inspector General
2019-03-13
-
Performance Audit of the Federal Housing Finance Agency Office of Inspector General's Information Security Program Fiscal Year 2017
From the Audit Objective: "The objectives of this performance audit were to evaluate the effectiveness of FHFA OIG's [Federal Housing Finance Agency. Office of Inspector General] information security program and practices and respond to the Department of Homeland Security's 'FY 2017 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics', dated April 17, 2017. Because information in this report could be used to circumvent FHFA OIG's internal controls, it has not been released publicly."
United States. Federal Housing Finance Agency. Office of Inspector General
2017-10-17
-
FHFA Did Not Complete All Planned Supervisory Activities Related to Cybersecurity Risks at Freddie Mac for the 2016 Examination Cycle (Redacted)
From the Executive Summary: "The Federal Housing Finance Agency (FHFA) is charged with ensuring that the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises) operate in a safe and sound manner. Within FHFA, the Division of Enterprise gulation (DER) is responsible for the supervision of the Enterprises. [...] We performed this audit to address two objectives. First, we sought to determine whether the supervisory activities planned by DER relating to Freddie Mac's cybersecurity risks for the 2016 examination cycle addressed the cybersecurity risks highlighted in its risk assessment and supervisory strategy. [...] Second, we sought to determine whether the planned supervisory activities for the 2016 examination cycle were completed during that cycle in light of FHFA's representations in its 2015 PAR [Performance and Accountability Report] that 'a key objective of FHFA's supervisory work' during 2016 would be oversight of how Freddie Mac managed its cyber risk and addressed vulnerabilities."
United States. Federal Housing Finance Agency. Office of Inspector General
2017-09-27
-
Performance Audit of the Federal Housing Finance Agency's Information Security Program Fiscal Year 2018
From the Audit Objective: "The objectives of this performance audit were to evaluate the effectiveness of FHFA's [Federal Housing Finance Agency] Information Security Program and practices and respond to the Department of Homeland Security's 'FY 2018 Inspector General Federal Information Security Modernization Act of 2014' Reporting Metrics, dated May 24, 2018. Because information in this report could be used to circumvent FHFA's internal controls, it has not been released publicly."
United States. Federal Housing Finance Agency. Office of Inspector General
2018-10-24
-
External Penetration Test of FHFA's Network and Systems During 2018 (Redacted)
From the Executive Summary: "The Federal Housing Finance Agency (FHFA or Agency), established by the Housing and Economic Recovery Act of 2008, is responsible for the supervision, regulation, and housing mission oversight of Fannie Mae, Freddie Mac, and the Federal Home Loan Bank System. Within FHFA, the Office of Technology and Information Management (OTIM) manages FHFA's information technology (IT) resources, including internet connections and internet accessible computers. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies, including FHFA, to develop, document, and implement agency-wide programs to provide information security for the information and information systems that support the operations and assets of the agency, and to periodically test those assets. To support our ongoing oversight of FHFA's implementation of FISMA, we perform audits of networks and information security of the Agency. In this audit, we sought to determine whether FHFA's security controls were effective to protect its network and systems against external threats."
United States. Federal Housing Finance Agency. Office of Inspector General
2019-02-11
-
Kearney & Company, P.C.'s Results of the Federal Housing Finance Agency's Cybersecurity Act Audit
From the Document: "The objective of this audit was to report information to the United States Congress detailing FHFA's [Federal Housing Finance Agency] establishment and implementation of logical access, software management, and data exfiltration controls on covered systems. [...] Based on our audit work, we concluded that FHFA has established and implemented the required privacy controls according to NIST [National Institute of Standards and Technology] SP [special publication] 800-53 for 'moderate' impact systems as of June 30, 2016. In particular, strengths of the Privacy Program included the following: 1. Completed and published system of record notices (SORN) and privacy impact assessments for the six sampled information systems; 2. Evidence of oversight for third-party information systems containing PII [personally identifiable information]; 3. Inclusion of privacy-based requirements in contracts with service providers; 4. Privacy monitoring and auditing of privacy-related controls; 5. Privacy awareness and training."
United States. Federal Housing Finance Agency. Office of Inspector General
2016-08-11
-
FHFA Should Improve Its Examinations of the Effectiveness of the Federal Home Loan Banks' Cyber Risk Management Programs by Including an Assessment of the Design of Critical Internal Controls
From the Executive Summary: "Federal financial regulators, including the Federal Housing Finance Agency (FHFA), consider cyber security to be among the foremost risks facing the banking and financial services industries and have identified it as a supervisory priority for examinations. FHFA is one of ten voting members of the Financial Stability Oversight Council (FSOC) established by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which is charged with identifying risks to the financial stability of the U.S., promoting market discipline, and responding to emerging risks to the financial system. In its 2015 annual report, which was approved by its voting members, FSOC recognized that 'financial sector organizations and other U.S. businesses experienced numerous cyber incidents, including large-scale data breaches that compromised financial information. Malicious cyber activity is likely to continue, and financial sector organizations should be prepared to mitigate the threat posed by cyber attacks that have the potential to destroy critical data and systems and impair operations.'"
United States. Federal Housing Finance Agency. Office of Inspector General
Lewis, Tara R.
2016-02-29
-
As Allowed by Its Standard, FHFA Closed Three Fannie Mae Cybersecurity MRAs After Independently Determining the Enterprise Completed Its Planned Remedial Actions (Redacted)
From the Executive Summary: "The Federal Housing Finance Agency (FHFA) is charged with ensuring that the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan Mortgage Corporation (Freddie Mac) (together, the Enterprises) operate in a safe and sound manner. Within FHFA, the Division of Enterprise Regulation (DER) is responsible for the supervision of the Enterprises. This audit is a follow-on to our audit report 'FHFA Failed to Complete Non-MRA [Matters Requiring Attention] Supervisory Activities Related to Cybersecurity Risks at Fannie Mae Planned for the 2016 Examination Cycle' (AUD-2017-010) (September 27, 2017). [...] We determined from that audit that, other than the ongoing monitoring activities to close the MRAs, DER did not complete any of its supervisory activities (the targeted examination and three ongoing monitoring activities) relating to Fannie Mae's cybersecurity risks planned for the 2016 examination cycle. We are building upon our previous audit work to determine, for the three cybersecurity MRAs closed in 2016, whether FHFA examiners followed existing requirements in independently verifying Fannie Mae's implementation of its remediation plans."
United States. Federal Housing Finance Agency. Office of Inspector General
2018-03-28
-
Action Needed to Strengthen FHFA Oversight of Enterprise Information Security and Privacy Programs
From the Synopsis: "Recent reports and testimony from organizations such as the Financial Stability Oversight Council and the Federal Bureau of Investigation emphasize the growing threat of cyber attacks against government and private sector computers and networks. These attacks pose a significant risk to the safety and soundness of financial organizations, including Fannie Mae and Freddie Mac (the enterprises), which store personal protected information (PPI) for 28 million active borrowers as well as other sensitive financial information. If that PPI was compromised, the enterprises, FHFA [Federal Housing Finance Agency], and the Treasury Department could be exposed to significant financial risk. Trust in the enterprises would also suffer greatly, harming relations with borrowers and financial institutions. FHFA is responsible for overseeing enterprise information security to help mitigate the growing threat of cyber attacks, as well as enterprise privacy programs to help protect sensitive borrower information. The objective of this audit was to assess the effectiveness of FHFA's oversight of those programs."
United States. Federal Housing Finance Agency. Office of Inspector General
2013-08-30
-
Impact of Pandemic-Related Forbearance and Foreclosure Relief for Single-Family Mortgages on the Enterprises' Implementation of CECL
From the Executive Summary: "Congress passed the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which was signed into law on March 27, 2020, to address some of the economic effects of the COVID-19 [coronavirus disease 2019] pandemic. The CARES Act provides single-family homeowners with Enterprise mortgages who are experiencing financial hardship due to the COVID-19 pandemic the right to forbearance from making mortgage payments for up to 180 days (which can be extended for another 180 days). The CARES Act also prohibited servicers of those mortgages from initiating the foreclosure process, moving for a foreclosure judgment, or executing a foreclosure sale for at least 60 days beginning on March 18, 2020, unless the property was vacant or abandoned. The Federal Housing Finance Agency (FHFA or Agency) subsequently extended the foreclosure moratorium for Enterprise-backed single-family mortgages until at least December 31, 2020. [...] This white paper discusses the impact of forbearance and foreclosure relief for single-family mortgages on the Enterprises' implementation of CECL [Current Expected Credit Loss] during the first and second quarters of 2020."
United States. Federal Housing Finance Agency. Office of Inspector General
2020-09-03
-
Management Advisory: FHFA-OIG's Investigation of Allegations of Fraud Affecting Paycheck Protection Program Loans Obtained or Sought from Federal Home Loan Bank Member Institutions
From the Summary: "The Coronavirus Aid, Relief, and Economic Security (CARES) Act establishes the Paycheck Protection Program (PPP) which authorizes up to $659 billion for small businesses to pay up to 8 weeks of payroll costs, including benefits, and to pay interest on mortgages, rent, and utilities. The PPP is implemented by the Small Business Administration (SBA) with support from the Department of the Treasury. Since April 2020, at the invitation of the Fraud Section (Fraud Section) of the Criminal Division of the U.S. Department of Justice (DOJ), we have participated in coordinated multiagency investigations into allegations of PPP fraud perpetrated at financial institutions that are members of the Federal Home Loan Bank (FHLBank) system. The purpose of this memorandum is to provide FHFA [Federal Housing Finance Agency] with a status report on these investigations. To date, as a result of our efforts and those of our partner law enforcement agencies, eight individuals have been charged by indictment or complaint with stealing or attempting to steal $60.5 million in PPP funds."
United States. Federal Housing Finance Agency. Office of Inspector General
2020-09-08
-
Oversight of Multifamily Borrowers' Compliance with Cares Act and Freddie Mac Tenant Protections and Freddie Mac's Response to the Potential Financial Impact of COVID-19
From the Executive Summary: "In March 2020, the onset of the COVID-19 [coronavirus disease 2019] pandemic prompted Congress, FHFA [Federal Housing Finance Agency], and Freddie Mac to act to protect the interests of tenants in multifamily properties financed by federally backed multifamily mortgage loans. Congress enacted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act or the Act), which imposed a 120-day moratorium that prohibited all borrowers with federally backed multifamily loans (referred to in this report as 'borrowers,' 'lessors,' or 'landlords') from filing legal actions to recover possession of a covered dwelling unit from a tenant solely due to the nonpayment of rent or other fees or charges. The Act also prohibited multifamily borrowers whose loans were in forbearance from evicting tenants, or initiating eviction actions against tenants, during the forbearance period solely for the nonpayment of rent. Freddie Mac's forbearance program provides the same tenant protections and also requires borrowers in forbearance to notify eligible tenants in writing and inform them of the available protections. In June 2020, at FHFA's direction, Freddie Mac expanded its tenant protections requirement for borrowers entering into a forbearance to allow tenants to pay back missed rent payments over a 'reasonable time,' rather than in one lump-sum payment at the end of the forbearance period. [...] We undertook this special project, in part, to determine how Freddie Mac monitored multifamily servicers' and borrowers' compliance with the CARES Act's and Freddie Mac's forbearance program tenant protections."
United States. Federal Housing Finance Agency. Office of Inspector General
2022-03-24
1
