T3
FHFA
Medium Confidence
Guidance
AB 2023-02: Supplemental Guidance to Advisory Bulletin 2017-02 - Information Security Management
Enhanced information security management requirements for FHFA-regulated entities supplementing existing 2017 guidance
MODERATE
Impact Level
Top: data governance (4)
Classification
- Regulatory Program
- FHFA Information Security Management
- Doc Type
- Guidance
- Effective Date
- 2026-11-13 (est.)
- Days to Action
- 120
- Comment Deadline
- —
- Published
- —
Urgency Basis
Supplemental guidance to existing 2017 advisory bulletin with no specified effective date, allowing reasonable implementation timeline
Operational Context
Flags
Systems Change Required
Examination Focus
Legal Review Required
Affected Functions
Information Technology
Risk Management
Compliance
Cybersecurity
Vendor Management
Institution Applicability
Federal Home Loan Banks
Fannie Mae
Freddie Mac
Fhfa-Regulated Entities
Impact by Category
Compliance
3
Operational
3
Data Governance
4
Model Risk
1
Reporting & Disclosure
2
Capital & Liquidity
0
Consumer Protection
2
Third-Party Risk
3
Key Requirements
- Review and update information security management frameworks
- Implement enhanced cybersecurity controls and monitoring
- Strengthen vendor and third-party security oversight
- Update incident response and reporting procedures
- Enhance staff training and awareness programs
Scoring Rationale
Moderate impact driven by data governance and operational requirements for information security enhancements. While building on existing 2017 guidance, the supplemental nature suggests meaningful updates requiring cross-functional coordination and potential system changes.
AI Analysis Disclosure — This record, including its scores, impact assessments, and Advisory
Assessment (impact, risk, and recommended actions), was generated by an AI model and may contain errors or
omissions. The Advisory Assessment is a starting point for analysis, not a substitute for professional judgment.
Effective dates, applicability determinations, impact assessments, and any recommended actions should be
independently verified against primary regulatory source documents and reviewed by qualified compliance or legal
personnel before taking compliance action. This output does not constitute legal or compliance advice.