Skip to main content

Fannie Mae Information Security and Business Resiliency Supplement

We encourage you to adopt the following requirements now, but your organization must complete full implementation no later than the effective dates outlined below.


- Single-Family seller and servicers and Multifamily lenders: August 12, 2025
- Technology service providers: December 31, 2025
- Document custodians: April 1, 2026

Main navigation

Fannie Mae recognizes that cyber risk is a business risk and protecting data is a shared responsibility.

Due to an evolving landscape, Fannie Mae has introduced new and updated cybersecurity requirements that our business partners must follow to ensure the safety and soundness of the enterprise. The new Fannie Mae Information Security and Business Resiliency Supplement (also referred to as the "Supplement") includes updates to:

  • information security controls;
  • cybersecurity incident notification requirements, including a requirement that business partners subject to the Supplement’s requirements are required to report cybersecurity incidents to Fannie Mae within 36 hours of identification; and
  • business continuity and resiliency requirements.

The Supplement has been updated to make additional parties with whom Fannie Mae does business subject to its requirements. Effective on the dates outlined above, Single-Family sellers and servicers, Multifamily lenders, technology service providers, and document custodians (each defined as a "Company" in the "Supplement") are/or will be subject to and must comply with the terms of the Supplement.

Supplement Bulletin 25-01

Read the Supplement Bulletin 25-01

Need a refresher on some of the current requirements?

Supplement and Related Bulletins Archive

This section contains copies of all previously issued Information Security and Business Resiliency Supplement Bulletins, as well as all prior versions of the Supplement published to date. Each edition of the Supplement supersedes and replaces the prior version in its entirety, as of the effective date(s) provided in the corresponding Bulletin.

Supplement

Bulletin

Intentionally Left Blank

 

Frequently Asked Questions

A Cybersecurity Incident is defined (see Section 2: Relevant Terms) in the “Fannie Mae Information Security and Business Resiliency Supplement” as:

Any of the following related to Confidential Information:

  • loss of;
  • accidental or unauthorized acquisition, use, modification, disclosure, deletion, or destruction of;
  • accidental or unauthorized access to;
  • circumvention, disabling, or deactivation of security measures protecting; or
  • occurrence affecting the confidentiality, integrity, or availability of.

Examples include one or more of the following occurring at the Company or at the Company’s third party(ies):

  • Ransomware, regardless of potential impact to Confidential Information;
  • denial of service attack which may affect the delivery of the services to Fannie Mae, for avoidance of doubt this includes a distributed denial of service attack;
  • business e-mail compromise (BEC), regardless of potential impact to Confidential Information; and
  • Vulnerabilities that may affect the delivery of services or loans to or for Fannie Mae.

Without undue delay and no later than 36 hours after identification of the Cybersecurity Incident, or the reasonable conclusion a Cybersecurity Incident may have occurred, and promptly thereafter as requested, provide to Fannie Mae via e-mail at [email protected] (see Section 4: Cybersecurity Incident Management).

Fannie Mae will determine if access to systems needs to be restricted based on the details of the incident reported. If access is restricted, Fannie Mae teams will provide guidance and requirements for restoring access (see Section 4.1: Actions by Fannie Mae).

Yes. In addition to the Cybersecurity Incident reporting requirements, if Company:

  • Inadvertently or by intentional action, loses;
  • Has stolen from; or,
  • Incorrectly routes outside of Company;

physical information, such as paper files or other media, which includes Fannie Mae Confidential Information, without undue delay and no later than 36 hours after identification of the matter, or the reasonable conclusion one may have occurred, and promptly thereafter as requested, Company must provide notice to Fannie Mae via e-mail at [email protected] (see Section 4.4: Lost/Stolen/Incorrectly Routed Physical Information).

In addition to the provisions in the Supplement, Company may have other notification obligations to Fannie Mae as outlined in their applicable agreements, Guides and other requirements with Fannie Mae.

Fannie Mae does not require that a specific standard/framework be implemented. The Supplement references the National Institute of Standards in Technology (NIST) (see Section 3: Information Security Program) Framework and/or the International Organization for Standardization (ISO) 27001 Standard as industry standards that can be leveraged.

Yes. A Company subject to the Supplement that uses service providers (which are a related third party), to store, process, access or transmit Fannie Mae Confidential Information must require their service providers to comply with substantially similar information security and business continuity requirements defined in the Supplement (see Section 3.14: Supply Chain Risk Management).