Pilot Launch You have early access to the Barinhall Compliance Intelligence Portal. Coverage and features are expanding weekly. Share feedback →
← Back to Feed
View source document ↗
T3 FHFA Medium Confidence Guidance

AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management

Enhanced information security management requirements for FHFA-regulated entities supplementing existing 2017 guidance

MODERATE
Impact Level
Top: data governance (4)

Classification

Regulatory Program
FHFA Information Security Management
Doc Type
Guidance
Effective Date
2026-11-13 (est.)
Days to Action
120
Comment Deadline
Published

Urgency Basis

Supplemental guidance to existing 2017 advisory bulletin with no specified effective date, allowing reasonable implementation timeline

Operational Context

Flags
Systems Change Required Examination Focus Legal Review Required
Affected Functions
Information Technology Risk Management Compliance Cybersecurity Vendor Management
Institution Applicability
Federal Home Loan Banks Fannie Mae Freddie Mac Fhfa-Regulated Entities

Impact by Category

Compliance
3
Operational
3
Data Governance
4
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
3

Key Requirements

- Review and update information security management frameworks - Implement enhanced cybersecurity controls and monitoring - Strengthen vendor and third-party security oversight - Update incident response and reporting procedures - Enhance staff training and awareness programs

Scoring Rationale

Moderate impact driven by data governance and operational requirements for information security enhancements. While building on existing 2017 guidance, the supplemental nature suggests meaningful updates requiring cross-functional coordination and potential system changes.

Scored: 2026-06-02T19:02:49.801Z Model: claude-sonnet-4-20250514 Confidence: Medium Aggregate Score: 2.6
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment. Effective dates, applicability determinations, impact assessments, and any recommended actions should be independently verified against primary regulatory source documents and reviewed by qualified compliance or legal personnel before taking compliance action. This output does not constitute legal or compliance advice.