We audited the Federal Housing Administration's (FHA) management of its information technology resources and compliance with U.S. Department of Housing and Urban Development (HUD) and other federal information security requirements. Our overall objective was to determine whether FHA effectively managed security controls relating to its information technology resources. This audit supported our financial statement audits of FHA and HUD as well as our annual Federal Information Security Management Act review. We found that FHA did not (1) fully implement required security controls related to personnel security, user access, and audit log management for the Single Family Insurance System - Claims Subsystem; (2) define or implement adequate security controls over its business partners that develop, store, and process HUD data; and (3) have assurance that mandatory security controls had been implemented and follow the federal information security framework. We also found that the HUD Office of the Chief Information Officer did not follow its own policy on performing security impact assessments when significant changes were made to a system. We recommend that FHA and HUD incorporate the federal information security program framework into their management processes so that security assessments, continuous monitoring, personnel security, and appropriate access to systems and data are assured.