Skip to main content
Applications & Technology

Cipher Retirement

Effective November 19, 2021

Fannie Mae is committed to providing strong information security and aligning with industry guidelines. As part of our ongoing information security assessments, we have decided to disable a specific set of encryption methods (ciphers) in all non-production testing environments on Oct. 15 and all production environments on November 19.

Here’s what you need to know:

Who is impacted
Any third-party organization that connects to Fannie Mae URLs and/or applications using Transport Layer Security (TLS)-based connections either directly via the internet or through integration partners.

What will happen and when
The affected ciphers will be disabled in the non-production testing environments for testing purposes on Oct. 15 and in the production environment on Nov. 19.

The stronger ciphers that are currently in use by Fannie Mae today and that should be used when connecting to Fannie Mae URLs and/or applications on or after Nov. 19 are:

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Action you need to take
Please work with your internal technology/network teams and any third-party system providers or integration partners to ensure the stronger ciphers are implemented within your browser and/or client software prior to the above non-production testing and production implementation dates. 

  • If accessing Desktop Originator® (DO®) / Desktop Underwriter (DU®) on the web and/or other web-based applications, you will need to update your browser.
  • If accessing XIS or other XML-based systems, you will need to update the specific client software that is in use. This may include updating the TLS libraries, modifications to custom code or, in the case of lenders, an update from a loan origination system (LOS) provider.

Potential impacts
During the scheduled maintenance windows on Oct. 15 (non-production testing) and Nov. 19 (production), you may experience a delay or inability to connect to Fannie Mae URLs and/or applications. Additionally, if the stronger ciphers are not implemented within your browser and/or client software by Nov. 19, you will no longer be able to connect to Fannie Mae URLs and/or applications.

Questions?
Refer to our Helpful Tips or reach out to your Fannie Mae point of contact.
 

Attention Technology Service Providers
If you are a technology, service, integration, or other provider who supports lenders, mortgage brokers, or other organizations in doing business with Fannie Mae, please work with them to ensure the appropriate updates are made in both their and your systems to avoid operational issues.