On August 29, 2024, the Federal Financial Institutions Examination Council (FFIEC) released a new Development, Acquisition, and Maintenance (DA&M) booklet, as part of their IT Examination Handbook. This new booklet supersedes and replaces the previous Development & Acquisition (D&A) booklet.
In this article, we're going to:
- Define development, acquisition, and maintenance.
- Summarize the seven key sections of the booklet.
- Talk about five trends that make this booklet stand out.
- Provide some "next steps" for your DA&M journey.
About Development, Acquisition, and Maintenance
Let's start by talking about development, acquisition, and maintenance. While the FFIEC provides lengthy paragraph descriptions for each of these items in the booklet, we're going to paraphrase:
- Development is the process of creating IT assets (think: systems, software, hardware, components, etc.). Development includes planning, designing, testing, and implementing assets to achieve business goals and strategic objectives. You can develop things on your own or you can hire a third party to develop them on your behalf.
- Acquisition is the process of obtaining IT assets from trusted providers. Acquisition focuses primarily on performing good third-party risk management (TPRM). It sometimes goes by other fancy names (e.g., "solicitation," "procurement," "licensing," etc.). At the end of the day though, acquisition always comes back around to foundational practices (e.g., planning, due diligence and selection, contract management, etc.).
- Maintenance is the process of keeping your IT assets fresh, relevant, and secure, whether they were developed internally or acquired externally. Maintenance is about ensuring continuity of operations, continuous improvement, and organizational resilience.
While each of these topics is loaded with specifics in the booklet, the heart of it all comes back to good IT asset management, which is a recurring theme in this booklet, but more on that later.
Booklet Structure
The DA&M booklet is structured into seven primary sections.
Section |
Summary |
Introduction |
This section provides a brief overview of the topic, as well as the formal definitions for the terms "Development," "Acquisition," and "Maintenance." |
Governance |
This section provides an overview of DA&M policies, standards, and procedures, as well as the roles and responsibilities related to the DA&M process (e.g., the Board of Directors, senior management, project management team roles, development roles, third-party risk management roles, auditors, support functions, etc.). |
Risk Management |
This section sets the tone for the rest of the booklet. It outlines the risk management process of identifying, measuring, mitigating, monitoring, and reporting risks related to the DA&M process. |
Common Risk Topics |
This section is the largest section of the booklet, addressing 17 unique (but related) DA&M topics at varying levels of detail (e.g., software development, project management, data management, third-party risk management, technical considerations, etc.). Each section follows a similar pattern of:
|
Development |
This section dives into development-specific topics (e.g., development standards, testing, DevOps, etc.), restating and modernizing several concepts from the former version of the booklet. |
Acquisition |
This section provides information about what third-party risk management looks like in the context of acquiring IT assets (e.g., planning, due diligence and selection, contract negotiation, etc.). |
Maintenance |
This section talks about the different types of maintenance that need to be performed, regardless of whether a system was developed or acquired. Several topics align with, and contextualize, IT asset management concepts previously discussed in the FFIEC's Architecture, Infrastructure, and Operations booklet (e.g., patch management, change management, end-of-life / end-of-support management, etc.). In short, if you have a good IT asset management process that includes developed and acquired assets, you're well on your way. |
Key Trends
In addition to the topics presented in the booklet, here are five key trends that really set this booklet apart.
- The emphasis on examples. While FFIEC guidance strives to be "principles-based," it is always helpful to see examples that put obscure theories into practical terms. This booklet goes above and beyond, with more than 130 examples spread across the booklet's contents. (For comparison, the AIO booklet used the term "example" only 68 times.) By providing examples of what is included in certain terms or what certain topics look like when implemented correctly, the FFIEC paints a more complete picture of what good DA&M looks like, which ultimately benefits the reader without being overly prescriptive.
- References to external sources. One of the greatest benefits of the FFIEC IT Examination Handbook is that the booklets take best practices and present the concepts in a way that is relevant to stakeholders (e.g., examiners, financial institutions, third-party service providers, etc.). This booklet is no different, presenting and summarizing recommendations from several industry leaders, including the National Institute of Standards and Technology (NIST), the Open Worldwide Application Security Project (OWASP), and the Project Management Institute (PMI) to name a few.
- References to existing agency guidance. The booklet frequently refers to other FFIEC booklets, which emphasizes the agencies' point that DA&M doesn't happen in isolation. DA&M works best when it is performed hand-in-hand with information security, audit, operations, business continuity, and beyond. The guidance also often cites other agency resources, such as the Interagency Guidance on Third-Party Relationships: Risk Management, the federal banking agencies' Computer-Security Incident Notification Requirements, and the Gramm-Leach-Bliley Act (GLBA).
- A focus on scalability. On several occasions, the booklet addresses "large or complex entities" and "smaller or less complex entities." The guidance takes time to provide examples and scenarios in which a circumstance or best practice may look different based on the organization's nature. This further supports the FFIEC's principles-based approach that recognizes risk management isn't a one-size-fits-all thing. It's more about finding what size fits best for the organization. This booklet goes a step further than previous booklets, explicitly stating more than once that exceptions to best practices are allowed, as long as appropriate "mitigating controls are in place" (a.k.a., compensating controls).
- Clear and relevant definitions. In addition to largely adopting terms and definitions from outside sources (like NIST), an excellent feature of this booklet are the helpful definitions in the footnotes. For example, the FFIEC gives us a clear definition of the term "fintech" in one of the footnotes, saying: "For purposes of this booklet, 'fintech' refers to using technology in novel ways to provide financial services." The instant context makes the booklet much easier to read and understand than previous iterations of the booklet, which is especially helpful in highly technical contexts involving DA&M.
What Now?
If you are looking for next steps, we encourage you to read the booklet for yourself and see how the concepts apply to your organization. You can download the booklet on the FFIEC's IT Examination Handbook InfoBase website (https://ithandbook.ffiec.gov/) or use the direct links below.
For further details about the DA&M booklet, the booklet's examination procedures, and what changes will be made to Tandem in response, join our webinar on October 10, 2024 at 2:00 PM (CT). Learn more and register now at Tandem.App/Webinars. If you can't make it for the live session, go ahead and sign up to get access to the recording.