Freddie Mac Single-Family Seller/Servicer Guide §1302.2 — Information security (03/03/26)
Freddie Mac Guide §1302.2 (Information security). Gap-fill (verbatim, ID-diff).
Verbatim regulatory text
Verbatim provisions from Freddie Mac Single-Family Seller/Servicer Guide §1302.2 — Information security (03/03/26) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
Freddie Mac Guide 1302.2
This section contains: ■ Defined terms ■ Information security minimum requirements (a) Defined terms Seller/Servicers should be familiar with the following defined terms as they relate to information security requirements: Information security defined terms A Authentication The process in which a system verifies the identity and role of an individual, usually based on some form of credential(s) (password/ID, token, etc.).
Freddie Mac Guide 1302.2
302-3 Information security defined terms E Encryption The process of encoding or obfuscating messages or information in such a way that only authorized parties can read it. V Vulnerability Management The process of identifying and testing known software vulnerabilities within a system and prioritizing remediation according to each vulnerability’s likelihood of occurrence and how the exploitation of the vulnerability would impact the system. (b) Information security minimum requirements (i) Information security program Seller/Servicers must define an individual or group of individuals responsible for the development of information security requirements, including the adoption, implementation, maintenance and administration of written minimum-security standards, policies and procedures that responsibly address critical issues such as user responsibilities (e.g., “Acceptable Use”); ownership of and access to information; baseline security practices; physical, administrative and technical security protection mechanisms and other requirements. Not less than annually, Seller/Servicers must review and assess the adequacy of their information security policies and procedures used in connection with the selling and Servicing of Freddie Mac Mortgages to ensure compliance with the Guide, their other Purchase Documents and industry best practices (including as set forth by the National Institute of Standards and Technology and International Organization for Standardization/International Electrotechnical Commission standards). Upon request of Freddie Mac, Seller/Servicers must make their information security program policies and procedures available; further, upon request of Freddie Mac, Seller/Servicers must provide an attestation executed by a duly authorized corporate officer of the adequacy of these policies and procedures, including following the termination of a Seller/Servicer’s right to sell or service Mortgages, or the occurrence of an Incident (as defined in Section 1302.5). (ii) Human resources security The following are requirements related to human resources security: ■ Pre-employment screening: Seller/Servicers must conduct, or retain a qualified third party to conduct, thorough background verification checks (screening) for all
Freddie Mac Guide 1302.2
302-4 candidates for employment or contractor status who will have access to Freddie Mac confidential information, Protected Information or Systems (as defined in Section 2401.1(b)) ■ Code of conduct or non-disclosure agreement: Prior to being granted access to Freddie Mac confidential information, Protected Information or Systems, Seller/Servicers must require all employees, contractors and third parties to (i) sign a non-disclosure agreement or (ii) be subject to a code of conduct, which in either case includes obligations to restrict the use or disclosure of and to maintain as confidential all Freddie Mac confidential information ■ Protected Information and information related to or contained in Systems: The code of conduct must be acknowledged by the employee, contractor or third party, and must address at least the following subjects: ❑ Appropriate use of company assets ❑ Information protection, including non-disclosure and confidentiality ❑ Records management ❑ Information security and privacy ❑ Business courtesies ❑ Personal investments and insider trading ❑ Conflicts of interest ■ Information security awareness, education and training: At least annually, Seller/Servicers must provide information security awareness training to all employees and contractors who have access to Freddie Mac confidential information, Protected Information and/or Systems. The training should incorporate current cybersecurity threats, including phishing, social engineering, supply chain attacks, malware/ransomware, credential compromise via weak password hygiene, insider threats, artificial intelligence (AI)- powered tactics (e.g., deepfakes, targeted phishing content) and threats to AI systems (e.g., model inversion, data poisoning, prompt injection). When necessary, the organization personnel and partners must receive AI risk management training to enable them to perform their duties and responsibilities consistent with related policies, procedures and agreements. At a minimum, the training must address the importance of data security, provide details on roles and responsibilities for all users in protecting information at the Seller/Servicer (along with practical ways to incorporate information security into daily routines) and include the specific
Freddie Mac Guide 1302.2
302-5 processes in place for protecting Freddie Mac confidential information and Protected Information. (iii)Physical and environmental security controls Seller/Servicers must create and maintain: ■ A physical security control program of the organization’s buildings and facilities that contain information systems, designed to detect, monitor and prevent unauthorized access and to respond to physical security incidents using real-time physical intrusion alarms and surveillance equipment ■ An updated list of personnel with authorized access to facilities where information systems reside, including an access privilege review performed not less than annually and upon the departure of any authorized personnel ■ Environmental controls to monitor, mitigate and protect the organization with regards to a loss of connectivity, access to or integrity of information and damage caused by natural disasters or man-made incidents such as fire, earthquake, flood, hurricane, tornado or weather-related adverse conditions ■ A clean desk policy that ensures that Freddie Mac confidential information and Protected Information are stored securely (iv) Communications and operations management Seller/Servicers must implement technical security measures designed to monitor for, mitigate against and prevent malicious software, stop unwanted spam and traffic and to protect against unauthorized use of wireless connections. Measures must include those provided in the remainder of this section or meet industry best practices, whichever is more stringent. (v) Data transmission and data loss prevention Seller/Servicers must: ■ Maintain a data loss prevention/transmission protection mechanism and related written policy establishing requirements to protect the confidentiality and integrity of information exchange using technology applications or information systems ■ Ensure adequate and up-to-date data loss prevention software is used and a corresponding management process is in place to scan for sensitive information stored on media and outgoing transmissions over public communication paths as well as to restrict the transfer of data to USB and other removable media devices at the desktop level
Freddie Mac Guide 1302.2
302-6 ■ Not transmit to System(s) or the Uniform Collateral Data Portal®, through an application programming interface or otherwise, any Malicious Code. “Malicious Code” means software or firmware intended to perform an unauthorized process that may have adverse impacts on the confidentiality, integrity, or availability of an information system (including, without limitation, data in transit), such as a “virus,” “time bomb,” “worm,” “trojan horse,” or other code-based entity that infects a host; ransomware, spyware and certain forms of adware are also examples of Malicious Code. ■ Conduct regular audits to ensure compliance with data loss prevention policies and procedures and verify that data loss prevention software is functioning as intended ■ For data loss prevention policies, implement a data classification scheme to identify and categorize Freddie Mac confidential information and personal information ■ Ensure adequate and up-to-date data loss prevention software is used and a corresponding management process is in place to scan all inbound files and e-mails for malware ■ Establish an incident response plan for data loss prevention policy violations. Ensure staff are trained to respond to potential data loss incidents. (vi) Anti-virus program/updates Seller/Servicers must install anti-virus software to protect servers and end user systems and must keep all such software up to date with the latest anti-virus software and definitions. (vii) Network security Seller/Servicers must: ■ Implement information technology controls such as stateful firewalls to block all traffic inbound from, and outbound to, public networks that have not been expressly permitted by policy (i.e., “deny by default”) ■ Manage and restrict ports, protocols and services to only those that are required and approved for business operations ■ Formally recertify and authorize firewall rules upon each significant change (including, but not limited to, physical appliance updates, firmware updates and other changes to firewall technology) in infrastructure and otherwise not less than annually ■ Define a network segmentation strategy, commensurate with the Seller/Servicer’s risk profile, that is documented in policies and procedures and requires physical and logical segmentation from the user environment
Freddie Mac Guide 1302.2
302-7 ■ Establish a comprehensive strategy and process for endpoint detection and response that includes continuous monitoring of endpoint detection and response and remote access technologies to detect any misuse or abuse ■ At least annually, review and update the endpoint detection and response strategy and processes to adapt to evolving threats and technologies ■ Define criteria and indicators to identify when privileged credentials are compromised or used maliciously ■ Develop procedures for prompt response and mitigation of identified threats, ensuring that all incidents involving compromised credentials are thoroughly investigated and remediated (viii) Privacy policy Seller/Servicers must maintain a written privacy policy that has been approved by management and communicated to all appropriate personnel. The policy must meet industry best practices and require the Seller/Servicer to have an easily accessible online privacy notice that complies with applicable laws. (ix) Mobile computing Seller/Servicers must maintain a written mobile device/computing management (MDM) policy that has been approved by management and communicated to all appropriate personnel. This policy must reflect current and best practices, specifying parameters including but not limited to: ■ Approved and prohibited applications ■ Cryptographic mechanisms to ensure data security ■ Identity and access management requirements ■ Software updates (x) Wireless networks Seller/Servicers must control, secure, and monitor wireless access points. In addition, Seller/Servicers that offer wireless networks for network users must: ■ Implement and keep up to date a strong Wireless Local Area Network (WLAN) Authentication method that meets or exceeds the current industry standard Encryption strength and technology
Freddie Mac Guide 1302.2
302-8 ■ Prohibit use of outdated wireless technologies such as Wired Equivalent Privacy (WEP) ■ At least annually, perform reviews of approved wireless networks to validate and verify authorized users and access points ■ Password protect and control administrative access to the router (xi) Vulnerability management and penetration testing Seller/Servicers must conduct vulnerability testing on a regular basis and have a process in place to analyze and remediate identified vulnerabilities. To accomplish this, the Seller/Servicer must: ■ Not less than annually, employ a qualified and independent third party to conduct penetration testing on systems or system components used to store, access, process and/or transmit Freddie Mac confidential information or Protected Information or connect to System(s). At a minimum, the executive summary of the penetration report on Freddie Mac-related services and data should be made available to Freddie Mac for review. ■ Maintain a written vulnerability assessment process and policy that has been approved by Senior Management, including, at a minimum, the Chief Information Officer, Chief Technology Officer, Chief Information Security Office or Chief Risk Officer (or the equivalents thereof), communicated to appropriate personnel and has an owner that implements, maintains and reviews the policy at least annually to ensure that it consistently reflects industry best practices ■ Remediate all identified vulnerabilities per defined service level agreements ■ Maintain a record of all identified vulnerabilities and their remediation status (xii) Configuration and patch management Seller/Servicers must: ■ Implement and maintain a written patch management process and a policy that has been approved by management, communicated to all appropriate personnel and has a designated owner that reviews, implements and maintains the policy to ensure that it consistently reflects industry best practices ■ Develop and execute a process for developing and maintaining secure configuration baselines (also known as hardening guides, baseline secure configurations) of infrastructure components
Freddie Mac Guide 1302.2
302-9 ■ Deploy intrusion detection and/or prevention systems (IDS and/or IPS) with generated events fed into centralized systems for analysis ■ Define, implement and maintain preventive controls designed to block malicious messages and attachments from entering the environment ■ Designate qualified personnel responsible for performing timely software updates and patches and maintain a process for testing and installing software updates as they become available (xiii) Auditing, logging and monitoring Seller/Servicers must: ■ Develop, implement and maintain written guidelines and requirements for the logging and monitoring of activities and action within information systems. If the Seller/Servicer uses an enterprise log management function, the subject requirements must be integrated with such log management function. The Seller/Servicer may elect to use an external vendor for information security monitoring, subject to the provisions of this Chapter 1302. ■ Develop, implement and maintain written log retention and handling requirements to ensure logs retain relevant, useable and timely information sufficient to identify user access and/or system activities ■ Perform an independent security assessment of the control environment not less than annually and upon the occurrence of any Incident (as defined in Section 1302.5) (xiv) Software and application development life cycle (SDLC) If a Seller/Servicer develops applications or software that store, access, process or transmit Freddie Mac confidential information, Protected Information or connects to Systems, the Seller/Servicer must develop, implement and maintain a written SDLC process and policy that has been approved by management. This policy must include at minimum: ■ Management and separation of production and development environments that reflect contemporary best practices ■ Secure coding requirements ■ Open-source requirements ■ Code development and scanning pre- and post-deployment
Freddie Mac Guide 1302.2
302-10 (xv) Data Encryption Seller/Servicers must: ■ Maintain a formal Encryption and cryptography use policy that has been approved by Senior Management, including, at a minimum, the Chief Information Officer, Chief Technology Officer, Chief Information Security Office or Chief Risk Officer (or the equivalents thereof), and which has been communicated to appropriate personnel and has an owner that implements, maintains and reviews the policy to ensure it consistently reflects industry best practices ■ Maintain an encryption solution that enables the recovery of a compromised database administrator account ■ Maintain encryption solutions that allow privileged administrators to complete required actions without the ability to decrypt data ■ Ensure the protection, integrity and confidentiality of Freddie Mac confidential information and Protected Information using encryption methods while in transit and at rest ■ Deploy cryptography standards that meet or exceed the then-current industry standard Encryption strength and technology and prohibit use of outdated technologies ■ Generate, exchange, store, use, replace and delete cryptographic keys in a timely manner to prevent unauthorized access to those keys ■ Use Encryption mechanisms on portable end-user devices to protect data if the hardware (laptop, mobile device, etc.) is lost or stolen (xvi) Incident management Seller/Servicers must: ■ Develop and maintain, and implement when triggered, an incident response plan that provides a roadmap for implementing incident response capabilities and defines the resources and management support needed. The plan must: ❑ Be approved by Senior Management, including, at a minimum, the Chief Information Officer, Chief Technology Officer, Chief Information Security Office or Chief Risk Officer (or the equivalents thereof); ❑ Include a plan, with a clearly defined process, to shut off access to Freddie Mac Systems when an Incident occurs;
Freddie Mac Guide 1302.2
302-11 ❑ As specified in Section 1302.5, address any security breaches or incidents involving Freddie Mac confidential information or Protected Information promptly and effectively; ❑ Be tested at a pre-defined periodic frequency, or more frequently, if prudent, given the circumstances; ❑ Be reviewed and updated at least annually ■ Document a process to identify and respond to malicious domains, taking immediate action to block access to these domains across all network and endpoint security systems ■ Notify relevant stakeholders and provide detailed reports on the identified threats and actions taken ■ Coordinate with Related Third Parties on Incident detection and remediation ■ Regularly review and update the response processes to adapt to evolving threats and technologies, incorporating lessons learned from past incidents to enhance the overall effectiveness of the response strategy ■ Annually, unless formally activated, test the effectiveness of the incident response plan and capabilities ■ Annually, unless formally activated, audit the incident response plan. The audit may be performed by (i) an internal independent function within the organization, or (ii) an external entity who is qualified to do such audits; ■ Evaluate lessons learned from all Incidents; ■ Implement or identify an existing classification scale for Incidents to quantify the severity of the Incident; ■ Have documented action plans for remediation of Incidents, including playbooks for Incidents related to AI/ML (as defined in Section 1302.8) (xvii) Access control A. Access management policy A Seller/Servicer must: ■ Establish, implement and maintain an access management policy that aligns with industry best practices, including a process for granting and removing