AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management
Enhanced information security management requirements and controls for FHFA-regulated entities
Advisory Assessment
Impact. This supplemental guidance requires FHFA-regulated entities to strengthen their information security frameworks through enhanced policies, controls, and vendor oversight procedures. Your institution must review existing security management policies, implement additional protective controls, and upgrade third-party risk assessments to meet the enhanced standards.
Risk. Examination focus centers on data governance gaps and third-party vendor security weaknesses, where FHFA will scrutinize your ability to protect sensitive financial data and manage vendor-introduced vulnerabilities. Information security teams often struggle with the integration requirements between existing controls and the new supplemental measures.
Recommended Action. Information Security should lead an immediate gap analysis against the supplemental requirements, working with Risk Management to identify policy updates and control enhancements needed within the next 120 days. Vendor Management must simultaneously review existing third-party security assessments to determine which relationships require upgraded due diligence.
Watch. Monitor for examination guidance or frequently asked questions from FHFA that clarify implementation expectations, particularly around vendor security assessment standards and incident response procedure enhancements.
Classification
- Regulatory Program
- FHFA Information Security
- Doc Type
- Guidance
- Effective Date
- 2026-11-13 (est.)
- Days to Action
- 120
- Comment Deadline
- —
- Published
- —
Urgency Basis
Supplemental guidance to existing advisory bulletin - implementation typically expected within 90-180 days
Operational Context
Impact by Category
Key Requirements
Scoring Rationale
Moderate impact focused on information security enhancements. Data governance receives highest score due to direct security implications. Operational and compliance impacts are moderate requiring policy and procedure updates. Third-party risk management also significantly affected through vendor security requirements.