The Government Accountability Office (GAO) has issued a report that criticizes the Federal Housing Finance Agency (FHFA) for numerous problems in its information security program and for not establishing proper controls to assess the risk of errors by its payroll service provider.
‘These issues increase the risk to FHFA that 1) misstatements in its financial statements may not be promptly detected and corrected, 2) errors in the calculation of its payroll amounts may not be identified, 3) contractors or other users with privileged access could gain unauthorized access to or improperly use agency financial systems, applications, and information, and 4) unauthorized system changes could be implemented without FHFA's knowledge,’ says the GAO in its report.
The GAO specifically cites the FHFA for ‘vulnerabilities’ relating to the agency's ability to identify and authenticate users of its computer system.
‘FHFA did not ensure that appropriate password management controls were implemented on key systems we reviewed at both FHFA and an FHFA service provider,’ the GAO reports. ‘In addition, FHFA did not enforce disabling of inactive user accounts on one of its systems. As a result, an increased risk exists that FHFA accounts could be compromised and used by unauthorized individuals to access sensitive information.’
The GAO also complains that the FHFA's authorization controls were so weak that the agency's data ‘could be inappropriately modified, either inadvertently or deliberately.’ The GAO identifies the FHFA's failure to properly configure its information system in order to mitigate risks created by software vulnerabilities.
‘Servers for systems used by FHFA had not been consistently patched in a timely manner,’ says the GAO. ‘In addition, FHFA devices were not always securely configured. Specifically, FHFA did not properly configure a test server, and network vulnerabilities existed on multiple network devices. Failing to apply critical patches and the appropriate configuration settings for systems and network devices increases the risk of exposing systems to vulnerabilities that could be exploited.’
The GAO also observes that the FHFA did not heed a previous concern regarding the regulator's inadequate boundary protection of its information resources.
‘The underlying cause of the vulnerabilities we identified in fiscal year 2011 is that FHFA has not fully implemented our previous recommendations related to FHFA's information security program,’ the GAO continues. ‘For example, we have previously reported that FHFA did not always effectively monitor its systems. This lack of monitoring contributes, in part, to the new control issues we identified in our 2011 review. These new and continuing control issues increase the risk that (1) contractors or other users with privileged access could gain unauthorized access to or improperly use agency financial systems, applications and information, and (2) unauthorized system changes could be implemented. Until FHFA mitigates its control deficiencies by fully implementing an effective information security program, increased risk exists that its financial and support systems and the information they contain will be subject to unauthorized access, use, disclosure, disruption, modification or destruction.’
Separately, the GAO warns that the FHFA's payroll expense transactions lack controls to ‘ensure the integrity of payroll information’ processed by the U.S. Department of Agriculture's National Finance Center (NFC), FHFA's service provider for its payroll processing.
‘Specifically, FHFA had not identified that NFC was not withholding Medicare taxes to be paid for FHFA employees' salaries during a portion of fiscal year 2011,’ the GAO says.