The Supplement requires covered entities to maintain a formal, documented Information Security Program that aligns with industry-recognized frameworks such as NIST or ISO 27001. This program must include robust access controls, such as multi-factor authentication, least-privilege access, and regular account reviews. Data must be protected through encryption both at rest and in transit, and organizations must have a vulnerability management process that includes scanning, patching, and documenting remediation timelines. Annual penetration testing and independent security assessments are required, along with secure development and change management processes for all systems. Vendor oversight is also a key element, with contracts required to impose equivalent security obligations on third-party providers and allow for compliance verification.

Cybersecurity incident management is another core pillar of the new Supplement. Fannie Mae defines a Cybersecurity Incident broadly to include unauthorized access, ransomware attacks, business email compromise, denial-of-service events, and vulnerabilities that affect Fannie Mae-related operations. In the event of such an incident, organizations must act quickly to investigate, contain, and remediate the issue, and they must notify Fannie Mae within 36 hours of identifying it. Incident reports must include details on the scope, indicators of compromise, remediation steps, and any third parties involved. Fannie Mae may also require immediate actions such as suspending system access or enforcing password resets until the issue is resolved and system safety is confirmed.

In addition to security measures, the Supplement emphasizes the need for strong business continuity management. Covered entities must have a written Business Continuity Plan (BCP) that identifies mission-critical functions, outlines recovery priorities, and includes strategies for handling disruptions ranging from IT outages to vendor failures. The plan must address redundancy in systems and vendor arrangements, detail crisis communication protocols, and be tested at least annually. Results from testing should be documented, and any lessons learned should be incorporated into updates to the plan to ensure ongoing effectiveness.

The new Supplement represents a higher baseline for cybersecurity and operational resilience across the mortgage industry. While the rules directly apply to Fannie Mae-approved sellers and servicers, they reflect a broader expectation that all participants in the loan pipeline operate with formal security and continuity programs in place. By August 12, 2025, covered entities will need to demonstrate not just that they have these programs, but that they are actively maintained, tested, and capable of rapid response to threats or operational disruptions.