A new report out this week by the Federal Housing Finance Agency’s (FHFA) Office of Inspector General (OIG) found that FHFA’s network has “serious vulnerabilities that increase the likelihood that hacking attempts will succeed.”
The OIG said it performed penetration testing from October 2023 to January 2024 and found it was able to gain “unfettered access” to FHFA’s IT infrastructure.
The FHFA is a smaller Federal agency with less than 1,000 employees. It regulates Fannie Mae, Freddie Mac, and the 11 Federal Home Loan Banks – which are government-sponsored enterprises that provide more than $8.4 trillion in funding to the U.S. financial institutions and mortgage markets.
“We determined that FHFA’s security controls were not effective to protect its network and systems against internal threats,” the agency’s OIG wrote in its report published on Aug. 12. “Our penetration testing demonstrated that the Agency’s network has serious vulnerabilities that increase the likelihood that hacking attempts will succeed.”
The OIG said it was able to gain access to a privileged user account that allowed it to view, edit, and save files on the local drives of any user’s laptop or desktop – “including FHFA executives at the highest levels.”
The OIG also said it was able to elevate a standard user account to a domain administrator and “take full control of FHFA’s network.”
“We essentially had unfettered access to the Agency’s IT infrastructure,” the OIG wrote in its report.
The report notes eight areas where the FHFA’s Office of Technology and Information Management (OTIM) failed to properly implement basic security controls.
For example, the OIG found that OTIM did not remediate vulnerabilities in FHFA’s system. According to the report, there were a total of 3,318 vulnerabilities. Of those, 64 percent were considered critical, and 59 percent of the critical vulnerabilities were over a year old.
The report also highlights that 261 of the vulnerabilities were identified as Cybersecurity and Infrastructure Security Agency (CISA) Known Exploitable Vulnerabilities. These vulnerabilities are required by CISA to be remediated within 14 days.
According to the report, OTIM employees told the OIG that they struggle with resources and are “constantly doing patch management and it consumes much of their time.”
The report also highlighted that OTIM failed to implement secure methods to access FHFA’s cloud environment. The OIG said it was able to gain “full control” of the agency’s network because it failed to encrypt credentials and did not leverage multifactor authentication (MFA).
“OTIM officials explained that the cloud administrator used an unsecure access method because it streamlined operations,” the report notes. “Additionally, OTIM officials were not aware of multifactor authentication methods that could be used to securely authenticate to the cloud environment.”
Other failures the OIG uncovered include implementing least privilege controls; effectively managing user authentication; effectively enforcing information flow control; and updating FHFA’s Common Control Plan.
The OIG also noted two repeat findings: a failure to detect and prevent standard users from downloading and installing unapproved software; and a lack of physical security controls within FHFA’s headquarters building, which allowed access to offices and employee information.
The OIG made 22 recommendations in its report to FHFA’s Chief Information Officer (CIO) Luis Campudoni, who agreed to all 22.
In a response to the OIG report dated July 19, Campudoni said that the agency will ensure every user uses MFA by Dec. 31. The CIO also noted that FHFA will request and secure additional resources to attain compliance with CISA’s Known Exploitable Vulnerabilities requirements by June 30, 2025, among several other actions.
