Audit Report Finds Lapses in FHFA Implementation of DHS Cybersecurity Directives
The Federal Housing Finance Agency had lapses in enacting binding operational directives from the Department of Homeland Security that cover cybersecurity issues.
According to an audit released by FHFA’s inspector general on Aug. 31, the agency does not have a documented process to implement DHS directives. Specifically, FHFA failed to publish a vulnerability disclosure policy and did not configure its public-facing websites and web services with a secure connection as part of the BOD-18-01 standard.
According to the oversight body, the failure to secure websites is out of FHFA’s control because the sites are managed by a third-party vendor. However, the IG pointed out that oversight on at least five of 43 websites could make user information prone to misuse, tracking and other risks, FCW reported Thursday.
The lapses also put the agency at risk of man-in-the-middle attacks, threats where perpetrators wedge themselves between a user and an application or a website. MITM attacks allow actors to listen in on a conversation, steal data or impersonate one of the parties.
The IG recommended that FHFA identify and implement a solution for meeting BOD-18-01 requirements, update the vulnerability disclosure policy published on the agency’s public website to include an issuance date, and develop and maintain policies and procedures for implementing DHS BODs. FHFA agreed with all recommendations and has set different deadlines for addressing the issues.
Tags: binding operational directives BOD-18-01 cybersecurity Department of Homeland Security FCW Federal Housing Finance Agency Office of the Inspector General website security