Skip to main content

Fannie Mae Information Security and Business Resiliency Supplement

We encourage you to adopt the following requirements now but must fully implement them no later than the effective date of August 12, 2025.

Fannie Mae recognizes that cyber risk is a business risk and protecting data is a shared responsibility.

Due to an evolving landscape, Fannie Mae has introduced new and updated cybersecurity requirements that our business partners must follow to ensure the safety and soundness of the enterprise. The new Fannie Mae Information Security and Business Resiliency Supplement (the "Supplement") includes updates to:

  •  information security controls; 
  • cybersecurity incident notification requirements; and 
  • business continuity and resiliency requirements.

Read the Supplement

Need a refresher on current requirements?

The Consolidated Technology Guide is the single point of reference for Fannie Mae’s technology licensing contract, the Software Subscription Agreement, which governs external party access and use of Fannie Mae’s applications and related application programming interfaces. In addition:

Frequently Asked Questions

A Cybersecurity Incident is defined (see Section 2: Relevant Terms) in the “Fannie Mae Information Security and Business Resiliency Supplement” as:

Any of the following related to Confidential Information:

  • loss of;
  • accidental or unauthorized acquisition, use, modification, disclosure, deletion, or destruction of;
  • accidental or unauthorized access to;
  • circumvention, disabling, or deactivation of security measures protecting; or
  • occurrence affecting the confidentiality, integrity, or availability of.

Examples include one or more of the following occurring at the Company or at the Company’s third party(ies):

  • Ransomware, regardless of potential impact to Confidential Information;
  • denial of service attack which may affect the delivery of the services to Fannie Mae, for avoidance of doubt this includes a distributed denial of service attack;
  • business e-mail compromise (BEC), regardless of potential impact to Confidential Information; and
  • Vulnerabilities that may affect the delivery of services or loans to or for Fannie Mae.

Without undue delay and no later than 36 hours after identification of the Cybersecurity Incident, or the reasonable conclusion a Cybersecurity Incident may have occurred, and promptly thereafter as requested, provide to Fannie Mae via e-mail at privacy_office@fanniemae.com (see Section 4: Cybersecurity Incident Management).

Fannie Mae will determine if access to systems needs to be restricted based on the details of the incident reported. If access is restricted, Fannie Mae teams will provide guidance and requirements for restoring access (see Section 4.1: Actions by Fannie Mae).

Yes. In addition to the Cybersecurity Incident reporting requirements, if Company:

  • Inadvertently or by intentional action, loses;
  • Has stolen from; or,
  • Incorrectly routes outside of Company;

physical information, such as paper files or other media, which includes Fannie Mae Confidential Information, without undue delay and no later than 36 hours after identification of the matter, or the reasonable conclusion one may have occurred, and promptly thereafter as requested, Company must provide notice to Fannie Mae via e-mail at privacy_office@fanniemae.com (see Section 4.4: Lost/Stolen/Incorrectly Routed Physical Information).

Fannie Mae does not require that a specific standard/framework be implemented. The Supplement references the National Institute of Standards in Technology (NIST) (see Section 3: Information Security Program) Framework and/or the International Organization for Standardization (ISO) 27001 Standard as industry standards that can be leveraged.

Yes. Seller/Servicers using service providers (which are a related third party), that store, process, access or transmit Fannie Mae Confidential Information must require their service providers to comply with substantially similar information security and business continuity requirements defined in the Supplement (see Section 3.14: Supply Chain Risk Management).