Cybersecurity Risk Management and Strategy Disclosure |
12 Months Ended |
|---|---|
Dec. 31, 2025 | |
| Cybersecurity Risk Management, Strategy, and Governance [Line Items] | |
| Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block] | Overview Cybersecurity risk is a key operational risk that we face; therefore, managing cybersecurity risk is an inherent part of our business activities. We describe the material cybersecurity risks we face in “Risk Factors—Operational and Model Risk.” Cybersecurity Risk Management Program We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the security of our information systems, software, networks and other technology assets against unauthorized attempts to access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk management program has evolved, and continues to evolve, based on the changing needs of our business, the evolving threat environment, and evolving legal and regulatory requirements. We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”). While we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk management program, we have not implemented and do not plan to implement all categories and subcategories included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business based on our current understanding of the cybersecurity threat environment. Integration into Enterprise Risk Management Framework Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework, which is described in “MD&A—Risk Management—Overview.” Our Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among the various crisis management stakeholders, including the Board of Directors, the Management Committee, the CEO, other members of the executive leadership team, the crisis manager and crisis management coordinators. See “Cybersecurity Governance— Management Role” for a description of the oversight role of the Corporate Risk & Compliance division, Internal Audit and the management-level Technology & Third Party Risk Committee and Enterprise Risk Committee relating to cybersecurity risk management. Cybersecurity Risk Management Strategy Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based defense-in- depth approach that prioritizes the highest impact events and employs overlapping layers of protection. Our cybersecurity threat operations operate with the goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with incident response and recovery plans. Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These safeguards include network and perimeter defense, infrastructure security, cloud security, endpoint protection, data protection, identity management and network segmentation. We work to evaluate and improve on these tools and safeguards through periodic cybersecurity assessments and the integration of cybersecurity threat intelligence. Backup Data Storage. We have both internal and external third-party backup data storage to help protect our data from cybersecurity incidents. We test our internal backup restoration process on a regular basis. Response Plans and Procedures. We maintain cybersecurity incident response procedures that identify the activities and escalation processes to be implemented upon detection of a cybersecurity incident, and we routinely practice these activities and processes. We also have business and technology continuity plans and a crisis management plan, which we test on a regular basis. Training. We provide mandatory cybersecurity training to employees and contractors on an annual basis. We test our employees’ response to simulated phishing scenarios on a regular basis. We also conduct enhanced training for certain groups of employees that may pose higher risk. Assessments. We examine the effectiveness of our cyber defenses through various means, including internal audits, targeted testing, vulnerability testing, maturity assessments, incident response exercises and industry benchmarking. Insurance Coverage. We maintain insurance coverage relating to cybersecurity risks. As described in “Risk Factors— Operational and Model Risk,” our insurance may not be sufficient to provide adequate loss coverage. Role of External Consultants, Vendors and Other Third Parties We regularly use external consultants and vendors to assist in our assessment and management of cybersecurity risks, including employing third parties to evaluate the security of our networks and our approach to cybersecurity risk management, such as external vendors that conduct penetration testing against our network on at least an annual basis, an external vendor that reviews and tests our cybersecurity incident response plan on at least an annual basis, and external vendors that support our network event alerting and detection capabilities. We also have external vendors on retainer to assist with cybersecurity incident response activities if requested. We are also focused on building and maintaining relationships with the appropriate government and law enforcement agencies and with other businesses, industry groups and cybersecurity services to better understand the cybersecurity risks in our environment, enhance our defenses and improve our resiliency against cybersecurity threats. Third-Party Cybersecurity Risk Oversight Our cybersecurity risk management program extends to oversight of third parties that pose a cybersecurity risk to us, including lenders that use our systems and third-party service providers. In alignment with the NIST Cybersecurity Framework and FHFA regulatory guidance, we have established a risk-based framework for managing third-party risk that defines specified triggers for assessing and reporting cyber-related third-party risks and events. Pursuant to this framework, we have implemented both preventive and detective controls to mitigate cybersecurity risks posed by third parties. We have identified certain third parties that we believe pose a higher cybersecurity risk to us because they have significant access to our systems or data. For these higher-risk third parties, we have implemented additional requirements, including: •We assess these higher-risk third parties’ cybersecurity controls through a cybersecurity questionnaire and a review of their cybersecurity controls, either through independent audits or by direct review of their cybersecurity policies and practices. •We use third-party cybersecurity monitoring and alert services to monitor these higher-risk third parties. •We conduct periodic monitoring reviews of these higher-risk third parties’ cybersecurity policies and practices. The Information Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user activity for access controls and risks of insider threat. The Information Security organization also monitors and investigates cybersecurity incidents through detection tools, reports from end users, and other cybersecurity threat and vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC, a member-driven organization that advances cybersecurity and resilience in the global financial system. As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the company’s incident response processes.
|
| Cybersecurity Risk Management Processes Integrated [Flag] | true |
| Cybersecurity Risk Management Processes Integrated [Text Block] | Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework, which is described in “MD&A—Risk Management—Overview.” Our Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among the various crisis management stakeholders, including the Board of Directors, the Management Committee, the CEO, other members of the executive leadership team, the crisis manager and crisis management coordinators. See “Cybersecurity Governance— Management Role” for a description of the oversight role of the Corporate Risk & Compliance division, Internal Audit and the management-level Technology & Third Party Risk Committee and Enterprise Risk Committee relating to cybersecurity risk management.
|
| Cybersecurity Risk Management Third Party Engaged [Flag] | true |
| Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] | true |
| Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] | false |
| Cybersecurity Risk Board of Directors Oversight [Text Block] | Board Oversight The full Board of Directors oversees the company’s cybersecurity risk management, assisted by the Risk Policy and Capital Committee of the Board. The Board has delegated management-level risk oversight, including for cybersecurity risk matters, to the Enterprise Risk Committee, as described under “Management Role” below. The Risk Policy and Capital Committee of the Board discusses cybersecurity risk matters with management throughout the year. Senior management team members, such as the Chief Security Officer or Deputy Chief Risk Officer of Non- Financial Risk & Compliance, report to the Risk Policy and Capital Committee and/or the Board on matters such as updates on our cybersecurity risk management program, resiliency, and external cybersecurity developments, threats and risks. The company has procedures to escalate information regarding certain cybersecurity incidents to the Board Chair. At least once every two years, the Risk Policy and Capital Committee reviews and approves the company’s Cybersecurity Risk Policy and Operational Risk Policy.
|
| Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] | The full Board of Directors oversees the company’s cybersecurity risk management, assisted by the Risk Policy and Capital Committee of the Board. |
| Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block] | Senior management team members, such as the Chief Security Officer or Deputy Chief Risk Officer of Non- Financial Risk & Compliance, report to the Risk Policy and Capital Committee and/or the Board on matters such as updates on our cybersecurity risk management program, resiliency, and external cybersecurity developments, threats and risks. The company has procedures to escalate information regarding certain cybersecurity incidents to the Board Chair. At least once every two years, the Risk Policy and Capital Committee reviews and approves the company’s Cybersecurity Risk Policy and Operational Risk Policy.
|
| Cybersecurity Risk Role of Management [Text Block] | Our Chief Security Officer leads our Information Security organization, which has primary responsibility for assessing and managing our cybersecurity risks. Our Chief Security Officer has principal management responsibility for overseeing the company’s cybersecurity risk management program. Our Chief Security Officer reports to our Chief Control Officer and Head of Enterprise Operations. The Information Security organization works collaboratively across the company to help protect the company’s information systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user activity for access controls and risks of insider threat. The Information Security organization also monitors and investigates cybersecurity incidents through detection tools, reports from end users, and other cybersecurity threat and vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC, a member-driven organization that advances cybersecurity and resilience in the global financial system. As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the company’s incident response processes. The Information Security organization and Corporate Risk & Compliance division are informed about and monitor the prevention, detection and mitigation of cybersecurity incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of risk metrics. The company’s performance in managing cybersecurity risk is reported to the Technology & Third Party Risk Committee, the Enterprise Risk Committee and the Risk Policy and Capital Committee of the Board of Directors. As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the Enterprise Risk Committee, members of which include senior leaders throughout the company. The Enterprise Risk Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to the Technology & Third Party Risk Committee. The Technology & Third Party Risk Committee receives reports on cybersecurity risk matters on a regular basis from the company’s Chief Security Officer. The Technology & Third Party Risk Committee reviews and approves the company’s management-level cybersecurity risk policies and standards. The Technology & Third Party Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The Technology & Third Party Risk Committee escalates matters to the Operational Risk Committee or the Enterprise Risk Committee as appropriate. The company’s Corporate Risk & Compliance division provides risk-based independent oversight of cybersecurity risk management performed by the Information Security organization. Members of the Corporate Risk & Compliance division chair the Technology & Third Party Risk Committee and the Enterprise Risk Committee. The company’s Internal Audit organization audits the Corporate Risk & Compliance division’s oversight of cybersecurity risk management and also independently tests the effectiveness of the company’s cybersecurity risk management and governance. Members of the Internal Audit organization participate as non-voting members of both the Technology & Third Party Risk Committee and the Enterprise Risk Committee.
|
| Cybersecurity Risk Management Positions or Committees Responsible [Flag] | true |
| Cybersecurity Risk Management Positions or Committees Responsible [Text Block] | Our Chief Security Officer leads our Information Security organization, which has primary responsibility for assessing and managing our cybersecurity risks. Our Chief Security Officer has principal management responsibility for overseeing the company’s cybersecurity risk management programAs noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the Enterprise Risk Committee, members of which include senior leaders throughout the company. The Enterprise Risk Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to the Technology & Third Party Risk Committee.
|
| Cybersecurity Risk Management Expertise of Management Responsible [Text Block] | Chief Security Officer Our Chief Security Officer has over 21 years of professional experience in information security, including over 1 year in his current position, over 8 years as Fannie Mae’s Chief Information Security Officer (2016-2024) and over 1 year as Fannie Mae’s Deputy Chief Information Security Officer. Our Chief Security Officer holds a graduate degree in information technology management. Technology & Third Party Risk Committee Members of the Technology & Third Party Risk Committee include officers with expertise in cybersecurity risk oversight, such as the Chief Security Officer described above and the head of our Technology and Third Party Risk Oversight department. As of December 2025, several members of the Technology & Third Party Risk Committee had prior work experience in cybersecurity and several had a relevant degree or certification, or other knowledge, skills or background in cybersecurity.
|
| Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] | Our Chief Security Officer leads our Information Security organization, which has primary responsibility for assessing and managing our cybersecurity risks. Our Chief Security Officer has principal management responsibility for overseeing the company’s cybersecurity risk management program. Our Chief Security Officer reports to our Chief Control Officer and Head of Enterprise Operations. The Information Security organization works collaboratively across the company to help protect the company’s information systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user activity for access controls and risks of insider threat. The Information Security organization also monitors and investigates cybersecurity incidents through detection tools, reports from end users, and other cybersecurity threat and vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC, a member-driven organization that advances cybersecurity and resilience in the global financial system. As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the company’s incident response processes. The Information Security organization and Corporate Risk & Compliance division are informed about and monitor the prevention, detection and mitigation of cybersecurity incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of risk metrics. The company’s performance in managing cybersecurity risk is reported to the Technology & Third Party Risk Committee, the Enterprise Risk Committee and the Risk Policy and Capital Committee of the Board of Directors. As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the Enterprise Risk Committee, members of which include senior leaders throughout the company. The Enterprise Risk Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to the Technology & Third Party Risk Committee. The Technology & Third Party Risk Committee receives reports on cybersecurity risk matters on a regular basis from the company’s Chief Security Officer. The Technology & Third Party Risk Committee reviews and approves the company’s management-level cybersecurity risk policies and standards. The Technology & Third Party Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The Technology & Third Party Risk Committee escalates matters to the Operational Risk Committee or the Enterprise Risk Committee as appropriate. The company’s Corporate Risk & Compliance division provides risk-based independent oversight of cybersecurity risk management performed by the Information Security organization. Members of the Corporate Risk & Compliance division chair the Technology & Third Party Risk Committee and the Enterprise Risk Committee. The company’s Internal Audit organization audits the Corporate Risk & Compliance division’s oversight of cybersecurity risk management and also independently tests the effectiveness of the company’s cybersecurity risk management and governance. Members of the Internal Audit organization participate as non-voting members of both the Technology & Third Party Risk Committee and the Enterprise Risk Committee.
|
| Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] | true |