Announcement SVC-2025-01 – Servicing Guide Update
Fannie Mae cybersecurity requirements implementation across information security, incident management, and business resiliency domains
Advisory Assessment
Impact. This guidance establishes comprehensive cybersecurity requirements across your information security program, incident management protocols, and business continuity procedures, with mandatory 36-hour incident reporting to Fannie Mae starting August 2025. The requirements align with industry-standard cybersecurity frameworks but formalize previously discretionary practices into GSE compliance obligations.
Risk. Examination focus will concentrate on incident response capabilities and reporting timeliness, particularly the 36-hour notification requirement which creates a hard compliance deadline. Technology and operations teams face the highest exposure if current cybersecurity programs lack formal documentation or if incident escalation procedures cannot meet the rapid reporting timeline.
Recommended Action. Conduct a gap analysis between your existing information security program and the Fannie Mae Information Security and Business Resiliency Supplement requirements this quarter. Have your technology team map current incident detection and escalation workflows against the 36-hour reporting obligation to identify process bottlenecks or notification gaps.
Watch. Monitor for Fannie Mae's release of detailed implementation guidance or technical specifications for the Information Security Supplement, which may clarify documentation standards and reporting formats ahead of the August 2025 effective date.
Classification
- Regulatory Program
- GSE Servicing Requirements
- Doc Type
- Guidance
- Effective Date
- 2025-08-12
- Days to Action
- -338
- Comment Deadline
- —
- Published
- 2025-02-12
Urgency Basis
Effective date of August 12, 2025 is beyond 180 days from today's date of May 19, 2026 (document appears to be from past)
Operational Context
Impact by Category
Key Requirements
Scoring Rationale
This is a moderate-impact guidance requiring cross-functional coordination between compliance, IT security, and operations teams. While the cybersecurity requirements are comprehensive, they represent industry-standard practices rather than novel obligations. The 36-hour incident reporting creates a new compliance obligation but is operationally manageable. Shared equity clarifications are minimal administrative updates.