FFIEC Information Technology Examination Handbook – Development, Acquisition, and Maintenance

The Federal Financial Institutions Examination Council (FFIEC) has revised the "Development, Acquisition, and Maintenance" (DA&M) booklet of the FFIEC Information Technology Examination Handbook (IT Handbook). The DA&M booklet is one of eleven booklets that comprise the IT Handbook. This booklet replaces the Development and Acquisition booklet issued in April 2004. The revised title reflects the importance of maintenance in the life of an information system or component such as hardware, firmware, software, peripherals, and network components.

This booklet issuance does not impose new requirements on examined entities. The booklet describes principles and practices that examiners review when assessing an entity's DA&M activities. The booklet also contains updated procedures to help examiners evaluate the adequacy of an entity's programs related to DA&M. Additionally, this booklet:

• describes system and component development, acquisition, and maintenance;
• highlights key risk management practices when developing, acquiring, or maintaining systems and components;
• provides an overview of information technology project management, the system development life cycle, and supply chain risk management; and
• addresses the importance of system and software maintenance to an entity's resilience.

The DA&M booklet and the other booklets in the IT Handbook are available on the FFIEC website at: https://ithandbook.ffiec.gov/it-booklets.

Reserve Banks are asked to distribute this letter to the supervised banking organizations in their districts and to appropriate supervisory staff. In addition, banking organizations may send questions via the Board's public website.¹