Fannie Mae Information Security and Business Resiliency Supplement
Fannie Mae Information Security and Business Resiliency Supplement (published Sept 2, 2025) — the cybersecurity, incident-management, and business-resiliency requirements LL-2026-04 requires sellers/servicers to comply with.
Need to act on this regulation? FNMA AI Lender Letter (LL-2026-04) — Survivors Compliance Guide →
Verbatim regulatory text
Verbatim provisions from Fannie Mae Information Security and Business Resiliency Supplement — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
3. Information Security Program
align its Information Security Program with, or exceed, a current industry standard such as the National Institute of Standards in Technology (NIST) Framework or the International Organization for Standardization (ISO) 27001 Standard; • designate and keep a senior executive responsible for the development, implementation, and maintenance of its Information Security Program; © 2025 Fannie Mae Page 8 of 27
Incident Management and Reporting
Without undue delay and no later than 36 hours after identification of the Cybersecurity Incident, or the reasonable conclusion a Cybersecurity Incident may have occurred, and promptly thereafter as requested, provide Fannie Mae via e-mail at [email protected] (or by such other means as Fannie Mae may otherwise request) all known details of the Cybersecurity Incident, including:
Business Continuity
Business Continuity Plan must: • address Business Continuity Procedures and Disaster Recovery Procedures and provide a level of preparation, coordination, facilitation, resiliency, and testing that addresses disruptions that could impact normal operations and processing and
Supply Chain Risk Management
The Company must develop, document, and implement a formal vendor risk management program to ensure the controls of new and existing vendors
Supply Chain Risk Management
Perform related business continuity due diligence on its third parties to ensure they meet contracted service requirements and maintain a business continuity program that aligns with industry best practices