T2
FHFA
Medium Confidence
Guidance
AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management
Enhanced cybersecurity and information security management standards for FHFA-regulated entities
MODERATE
Impact Level
Top: data governance (4)
Classification
- Regulatory Program
- FHFA Information Security Management
- Doc Type
- Guidance
- Effective Date
- 2026-09-14 (est.)
- Days to Action
- 60
- Comment Deadline
- —
- Published
- —
Urgency Basis
Supplemental guidance to existing AB 2017-02 with immediate applicability for regulated entities
Operational Context
Flags
Systems Change Required
Legal Review Required
Examination Focus
Affected Functions
Information Security
Risk Management
Compliance
It Operations
Vendor Management
Institution Applicability
Federal Home Loan Banks
Fannie Mae
Freddie Mac
Fhfa-Regulated Entities
Impact by Category
Compliance
3
Operational
3
Data Governance
4
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
3
Key Requirements
- Review and update information security policies
- Implement supplemental security controls
- Enhance incident response procedures
- Strengthen vendor security management
- Update security awareness training programs
Scoring Rationale
Moderate impact guidance that builds upon existing AB 2017-02 framework. Primary impacts on data governance and operational security processes, with multi-business unit coordination required for implementation.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.