Regulatory Alerts2024-08-28
SR 24-6: FFIEC Information Technology Examination Handbook – Development, Acquisition, and Maintenance
The Federal Reserve issued SR 24-6 to announce the Federal Financial Institutions Examination Council's revision of the IT Examination Handbook's Development, Acquisition, and Maintenance booklet. This update replaces the 2004 booklet and incorporates maintenance into the title to reflect its critical role in the lifecycle of information systems and components. The revised booklet provides examiners with updated procedures and highlights key risk management practices without imposing new requirements on supervised entities.
Page 1 of 2 BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C. 20551 DIVISION OF SUPERVISION AND REGULATION SR 24-6 August 29, 2024 TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK SUBJECT: FFIEC Information Technology Examination Handbook – Development, Acquisition, and Maintenance Applicability: This letter applies to all entities supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets. The Federal Financial Institutions Examination Council (FFIEC) has revised the “Development, Acquisition, and Maintenance” (DA&M) booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The DA&M booklet is one of eleven booklets that comprise the IT Handbook. This booklet replaces the Development and Acquisition booklet issued in April 2004. The revised title reflects the importance of maintenance in the life of an information system or component such as hardware, firmware, software, peripherals, and network components. This booklet issuance does not impose new requirements on examined entities. The booklet describes principles and practices that examiners review when assessing an entity’s DA&M activities. The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity’s programs related to DA&M. Additionally, this booklet: • describes system and component development, acquisition, and maintenance; • highlights key risk management practices when developing, acquiring, or maintaining systems and components; • provides an overview of information technology project management, the system development life cycle, and supply chain risk management; and • addresses the importance of system and software maintenance to an entity’s resilience. The DA&M booklet and the other booklets in the IT Handbook are available on the FFIEC website at: https://ithandbook.ffiec.gov/it-booklets.
Page 2 of 2 Reserve Banks are asked to distribute this letter to the supervised entities in their districts and to appropriate supervisory staff. In addition, institutions may send questions via the Board’s public website.1 Michael S. Gibson Director Division of Supervision and Regulation 1 See http://www.federalreserve.gov/apps/contactus/feedback.aspx