Fannie Mae Information Security Requirements

Fannie and Freddie are serious about information security.  That was made obvious.

But what exactly are the requirements that Fannie and Freddie are serious about?

Simply: to ensure lenders that have access to Fannie and Freddie systems that house non-public information, such as SSNs and tax returns, have minimum, basic protections to reasonably prevent compromise of that information.

Let’s look at the Fannie Mae requirements.  But this is not going to be a simple list the requirements---this is going to look at the domains Fannie Mae is concerned with and explain why that helps secure systems and protect data.

The 14 domains that Fannie Mae is focused on are: access management, human resource security, audit and accountability, vulnerability management, physical and environmental controls, cyber incident management and response, asset management, system development and change management, patch management, data protection and system security, mobile computing, network security and management, cloud computing, and supply chain risk management.

To simplify this task we will sort these into three groups: administrative, technical, and operational.  Administrative controls include policies and processes that establish high-level risk management techniques to protect systems and data.  Technical controls provide these protections using technology or the information systems themselves.  Operational controls are hardware systems to enforce personnel compliance or processes to ensure people do the right things to protect systems and data.

Administrative Controls

Human resource security---to ensure employees are trustworthy; supply chain risk management---to ensure vendors are trustworthy; and, audit and accountability---ensuring information systems and data are used appropriately.

Technical Controls

Access management---controlling users and only allowing authorized users on systems; data protection and system security---encrypting data and protecting systems; network security and management---securing connections between systems; cloud computing---protecting resources in the cloud; mobile computing---protecting information and data with mobile users, either personal or corporate; system development and change management---making sure systems are up-to-date to protect against exploited vulnerabilities.

Operational Controls

Physical and environmental controls---prevent systems and data from being physically stolen or damaged; asset management---inventory; cyber incident management and response---processes that provide response actions in an incident to recover well; patch management---the processes related to change management that apply updates to systems; vulnerability management---processes that detect vulnerabilities to ensure systems are up-to-date.

There are all the controls that Fannie Mae now requires with their “Information Security and Business Resiliency Supplement.”

I will add one more---organizational risk management and ensuring cybersecurity is a part of it!

Kevin Robinson, CISSP, DDN.QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group.  He has a 20 year career in cybersecurity, risk assessment, intelligence and counterintelligence.  His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency.