Pilot Launch You have early access to the Barinhall Compliance Intelligence Portal. Coverage and features are expanding weekly. Share feedback →
← Back to Feed
View source document ↗
T2 FHFA Medium Confidence Guidance

AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management

Enhanced cybersecurity and information security management standards for FHFA-regulated entities

MODERATE
Impact Level
Top: data governance (4)

Classification

Regulatory Program
FHFA Information Security Management
Doc Type
Guidance
Effective Date
2026-09-14 (est.)
Days to Action
60
Comment Deadline
Published

Urgency Basis

Supplemental guidance to existing AB 2017-02 with immediate applicability for regulated entities

Operational Context

Flags
Systems Change Required Legal Review Required Examination Focus
Affected Functions
Information Security Risk Management Compliance It Operations Vendor Management
Institution Applicability
Federal Home Loan Banks Fannie Mae Freddie Mac Fhfa-Regulated Entities

Impact by Category

Compliance
3
Operational
3
Data Governance
4
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
3

Key Requirements

- Review and update information security policies - Implement supplemental security controls - Enhance incident response procedures - Strengthen vendor security management - Update security awareness training programs

Scoring Rationale

Moderate impact guidance that builds upon existing AB 2017-02 framework. Primary impacts on data governance and operational security processes, with multi-business unit coordination required for implementation.

Scored: 2026-06-09T19:02:49.408Z Model: claude-sonnet-4-20250514 Confidence: Medium Aggregate Score: 2.6
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment. Effective dates, applicability determinations, impact assessments, and any recommended actions should be independently verified against primary regulatory source documents and reviewed by qualified compliance or legal personnel before taking compliance action. This output does not constitute legal or compliance advice.