Housing agency didn't complete cyber orders from DHS, report says
The agency said that some of its websites failed to comply with binding operational directives from the Department of Homeland Security.
The Federal Housing Finance Agency, a small, independent agency tasked with oversight of federal mortgage providers Fannie Mae and Fannie Mac, fell short on enacting binding operational directives from the Department of Homeland Security covering cybersecurity issues, according to an audit by the agency's inspector general released Aug. 31.
The agency lacks a documented process or procedure to implement directives from DHS, which federal agencies are required to comply with – something the report says could cause the agency to respond in an "ad-hoc, reactive manner."
FHFA's chief information security officer told auditors that they assign these directives to appropriate analysts to process when the agency receives them.
The report notes the potential impact of the lack of a documented process, saying that "in the absence of the CISO… staff may not have defined responsibilities for handling the BODs, and the required actions may not be completed timely in response to DHS BODs."
Of the three directives the inspector general office looked into, the agency complied with one fully. But the watchdog found problems with the requirement to publish a vulnerability disclosure policy, as well as the agency's implementation of 2017 web and email security standards called BOD-18-01. Although FHFA complied with email requirements, it didn't meet all web security requirements for publicly accessible websites, the report says.
"FHFA did not configure all of its publicly accessible websites and web services with a secured connection," the report says. This was "because these websites and web services were managed by a third-party vendor and were not under FHFA's control."
That oversight on at least five of 43 websites could put user information at risk to interception, tracking and more, and puts FHFA systems at risk for so-called man-in-the-middle attacks, the report says.
FHFA said in comments included in the report that it's working on fixing weaknesses found in the report.