| FHFA Must Resolve the Conflicts in its Guidance for Examinations of the Enterprises to Meet its Commitment to Develop and Maintain a World Class Supervision Program |
OIG-2021-003 |
2021-09-01 |
| FHFA Letters of Instruction to the Enterprises |
WPR-2018-004 |
2018-07-23 |
| FHFA Lacked Documentation of its Validation of Data Used to Produce the Third Quarter 2020 Seasonally Adjusted, Expanded-Data FHFA HPI and Failed to Timely Review its Information Quality Guidelines |
AUD-2021-010 |
2021-07-22 |
| FHFA Is Addressing Inadequate Cybersecurity Incident Reports by the Enterprises |
COM-2022-009 |
2022-09-22 |
| FHFA Incorporated the FAR’s Whistleblower Protection Language for Contractor Employees in Selected Open Market Solicitations and Awards |
COM-2024-003 |
2024-02-08 |
| FHFA Has Not Consistently Collected and Destroyed Identification Cards from Separating Personnel, but Has Otherwise Substantially Adhered to its Offboarding Procedures |
COM-2022-008 |
2022-09-08 |
| FHFA Has Laid the Groundwork to Integrate Consideration of Climate-Related Financial Risk into its Policies and Programs but Plans and Methodologies to Accomplish This Work Are in the Early Stages of Development |
AUD-2022-008 |
2022-06-23 |
| FHFA Has Initiatives to Advance Equity and Support for Underserved Communities, but Tracking and Documentation Need Improvement |
AUD-2023-005 |
2023-07-26 |
| FHFA Has Acted to Strengthen Its Oversight of Federal Home Loan Bank Members’ Compliance with Community Support Requirements |
COM-2024-001 |
2024-01-10 |
| FHFA Generally Complied with its Updated Guidance for Procurement Peer Reviews |
COM-2022-001 |
2022-01-14 |
| FHFA Followed OMB Guidance in Implementing its Enterprise Risk Management Program But its 2020 Risk Profile Failed to Identify a Significant Action Underway to Address Acknowledged Supervision Risk |
AUD-2021-004 |
2021-03-17 |
| FHFA Followed Its Guidance When Making Conservatorship Decisions But Needs to Improve Retention of Decision Documentation and Update the Conservatorship Decision Policy and Procedures |
AUD-2023-003 |
2023-03-29 |
| FHFA Failed to Follow its Cloud-Based Computing Requirements when it Did Not Validate the Implementation of Minimum Security Requirements for Cloud-Based Tools and Did Not Include Required IT Security Provisions in Some of its Cloud Service Contracts |
AUD-2020-013 |
2020-09-17 |
| FHFA Failed to Ensure Freddie Mac’s Remedial Plans for a Cybersecurity MRA Addressed All Deficiencies; as Allowed by its Standard, FHFA Closed the MRA after Independently Determining the Enterprise Completed its Planned Remedial Actions |
AUD-2018-008 |
2018-03-28 |
| FHFA Failed to Consistently Deliver Timely Reports of Examination to the Enterprise Boards and Obtain Written Responses from the Boards Regarding Remediation of Supervisory Concerns Identified in those Reports |
EVL-2016-009 |
2016-07-14 |
| FHFA Failed to Complete Non-MRA Supervisory Activities Related to Cybersecurity Risks at Fannie Mae Planned for the 2016 Examination Cycle |
AUD-2017-010 |
2017-09-27 |
| FHFA Faces a Formidable Challenge: Remediating the Chronic and Pervasive Deficiencies in its Supervision Program Prior to Ending the Conservatorships of Fannie Mae and Freddie Mac |
OIG-2020-002 |
2020-03-30 |
| FHFA Examiners’ Lack of Assessment and Escalation of Shortcomings Identified by an Enterprise in its Servicer Fraud Risk Management Framework Limited the Agency’s Supervisory Oversight |
EVL-2020-002 |
2020-08-27 |
| FHFA Examinations of CSS Include Review of the Board of Managers but Supervision Has a Key Person Dependency and Outdated Guidance |
EVL-2023-002 |
2023-03-20 |
| FHFA Ensured that Fannie Mae Submitted Required Property Valuation Data to the Agency's Mortgage Loan Integrated System |
COM-2022-005 |
2022-05-31 |
| FHFA Effectively Blocked Phishing Emails, But Requires Improvement in Managing Vulnerabilities on Its Public Websites |
AUD-2023-008 |
2023-09-27 |
| FHFA Did Not Record, Track, or Report All Security Incidents to US-CERT; 38% of Sampled FHFA Users Did Not Report a Suspicious Phone Call Made to Test User Awareness of its Rules of Behavior |
AUD-2021-009 |
2021-06-25 |
| FHFA Did Not Fully Implement Select Security Controls Over One of Its Cloud Systems as Required by NIST and FHFA Standards and Guidelines |
AUD-2023-002 |
2023-03-08 |
| FHFA Did Not Fully Comply with DHS Binding Operational Directives for Securing Its Public Websites and Publishing Its Vulnerability Disclosure Policy |
AUD-2022-010 |
2022-08-31 |
| FHFA Did Not Follow its Interim Directive on a Requirement to Use a FAR Clause Intended to Protect Whistleblower Rights of Contractor Employees, But Has Since Taken Corrective Action |
AUD-2021-015 |
2021-09-30 |
