SR 24-6:

FFIEC Information Technology Examination Handbook – Development, Acquisition, and Maintenance

BOARD OF GOVERNORS
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF
SUPERVISION AND REGULATION

SR 24-6
August 29, 2024

TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK

SUBJECT:

FFIEC Information Technology Examination Handbook – Development, Acquisition, and Maintenance

Applicability:  This letter applies to all entities supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.

The Federal Financial Institutions Examination Council (FFIEC) has revised the “Development, Acquisition, and Maintenance” (DA&M) booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The DA&M booklet is one of eleven booklets that comprise the IT Handbook. This booklet replaces the Development and Acquisition booklet issued in April 2004. The revised title reflects the importance of maintenance in the life of an information system or component such as hardware, firmware, software, peripherals, and network components.

This booklet issuance does not impose new requirements on examined entities. The booklet describes principles and practices that examiners review when assessing an entity’s DA&M activities. The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity’s programs related to DA&M. Additionally, this booklet:

  • describes system and component development, acquisition, and maintenance;
  • highlights key risk management practices when developing, acquiring, or maintaining systems and components;
  • provides an overview of information technology project management, the system development life cycle, and supply chain risk management; and
  • addresses the importance of system and software maintenance to an entity’s resilience.

The DA&M booklet and the other booklets in the IT Handbook are available on the FFIEC website at: https://ithandbook.ffiec.gov/it-booklets.

Reserve Banks are asked to distribute this letter to the supervised banking organizations in their districts and to appropriate supervisory staff. In addition, banking organizations may send questions via the Board’s public website.1

signed by
Michael S. Gibson
Director
Division of
Supervision and Regulation

Back to Top
Last Update: August 29, 2024