Fannie Mae Information Security and Business Resiliency Supplement

fnma-infosec-resiliency-supplement

Fannie Mae Information Security and Business Resiliency Supplement (published Sept 2, 2025) — the cybersecurity, incident-management, and business-resiliency requirements LL-2026-04 requires sellers/servicers to comply with.

Update kit for this regulation → Get this register: .xlsx .csv More bundles →
Update kit

Need to act on this regulation? FNMA AI Lender Letter (LL-2026-04) — Survivors Compliance Guide →

Verbatim regulatory text (5)

Verbatim provisions from Fannie Mae Information Security and Business Resiliency Supplement — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.

3. Information Security Program

align its Information Security Program with, or exceed, a current industry standard such as the National Institute of Standards in Technology (NIST) Framework or the International Organization for Standardization (ISO) 27001 Standard; • designate and keep a senior executive responsible for the development, implementation, and maintenance of its Information Security Program; © 2025 Fannie Mae Page 8 of 27

Source: Fannie Mae Information Security and Business Resiliency Supplement · source URL · snapshot fnma-isbrs-2026-06-16-pdf

Incident Management and Reporting

Without undue delay and no later than 36 hours after identification of the Cybersecurity Incident, or the reasonable conclusion a Cybersecurity Incident may have occurred, and promptly thereafter as requested, provide Fannie Mae via e-mail at [email protected] (or by such other means as Fannie Mae may otherwise request) all known details of the Cybersecurity Incident, including:

Source: Fannie Mae Information Security and Business Resiliency Supplement · source URL · snapshot fnma-isbrs-2026-06-16-pdf

Business Continuity

Business Continuity Plan must: • address Business Continuity Procedures and Disaster Recovery Procedures and provide a level of preparation, coordination, facilitation, resiliency, and testing that addresses disruptions that could impact normal operations and processing and

Source: Fannie Mae Information Security and Business Resiliency Supplement · source URL · snapshot fnma-isbrs-2026-06-16-pdf

Supply Chain Risk Management

The Company must develop, document, and implement a formal vendor risk management program to ensure the controls of new and existing vendors

Source: Fannie Mae Information Security and Business Resiliency Supplement · source URL · snapshot fnma-isbrs-2026-06-16-pdf

Supply Chain Risk Management

Perform related business continuity due diligence on its third parties to ensure they meet contracted service requirements and maintain a business continuity program that aligns with industry best practices

Source: Fannie Mae Information Security and Business Resiliency Supplement · source URL · snapshot fnma-isbrs-2026-06-16-pdf