FFIEC IT Handbook: Development, Acquisition, and Maintenance Booklet

Detected March 20th, 2026

Summary

The FFIEC has updated its IT Examination Handbook with a revised 'Development, Acquisition, and Maintenance' booklet. This guidance provides updated information and best practices for financial institutions regarding the governance, risk management, and oversight of IT development, acquisition, and maintenance processes.

View original document View source feed page

What changed

The Federal Financial Institutions Examination Council (FFIEC) has released an updated version of its 'Development, Acquisition, and Maintenance' booklet, which is part of the IT Examination Handbook. This update provides financial institutions with current guidance on IT governance, risk management, and oversight related to the development, acquisition, and ongoing maintenance of technology systems and services.

Financial institutions should review the updated booklet to ensure their internal policies, standards, and procedures align with the revised guidance. This includes understanding the roles and responsibilities outlined for various stakeholders, from the board of directors to IT project management and supply chain functions, as well as the risk management practices for identifying, measuring, and monitoring risks associated with these IT lifecycle activities. While this is guidance, adherence is expected as part of prudent IT risk management.

What to do next

Review the updated FFIEC IT Handbook booklet on Development, Acquisition, and Maintenance.
Assess internal policies, standards, and procedures for alignment with the revised guidance.
Ensure roles and responsibilities for IT development, acquisition, and maintenance are clearly defined and understood.

Source document (simplified)

Development, Acquisition, and Maintenance

The "Development, Acquisition, and Maintenance" booklet is one in a series of booklets that compose the Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook).

Go to Introduction Download Booklet Download IT WorkProgram

Booklet Contents
- Introduction
- I Overview of Development, Acquisition, and Maintenance
- II Governance of Development, Acquisition, and Maintenance
- II.A Policies, Standards, and Procedures
- II.B Roles and Responsibilities
- II.B.1 Board, Senior Management, and Other Common Roles
- II.B.2 IT Project Management Roles
- II.B.3 Development Roles
- II.B.4 Acquisition Roles
- II.B.5 Maintenance Roles
- II.B.6 Other Common Development, Acquisition, and Maintenance Roles
- II.B.7 Supply Chain Roles
- II.B.8 Other Support Functions
- II.B.9 Audit's Role
- III Risk Management of Development, Acquisition, and Maintenance
- III.A Risk Identification
- III.B Risk Measurement
- III.C Risk Monitoring and Reporting
- III.D Controlling or Mitigating Risk
- IV Common Development, Acquisition, and Maintenance Risk Topics
- IV.A Open-Source
- IV.B Commercial-off-the-Shelf
- IV.C Licenses, Agreements, and Copyright Protection
- IV.C.1 Software Licenses
- IV.C.1(a) Free and Open-Source Software Licenses
- IV.C.1(b) Proprietary Software Licenses
- IV.C.2 Hardware Licenses
- IV.C.3 Copyright Protection
- IV.D Secure Development
- IV.E Data
- IV.F Secure Operating Environments
- IV.G Microservices
- IV.H Containers
- IV.I Application Programming Interfaces
- IV.I.1 API Gateway
- IV.I.2 API Risk Mitigation
- IV.J Methodologies
- IV.J.1 Waterfall
- IV.J.2 Agile
- IV.K Quality Management
- IV.L Documentation Standards
- IV.M Post-Implementation Review
- IV.N IT Project Management
- IV.N.1 IT Project Phases
- IV.N.1(a) Initiation
- IV.N.1(b) Planning
- IV.N.1(c) Execution
- IV.N.1(d) Closeout
- IV.N.2 Monitoring and Controlling
- IV.N.3 IT Project Documentation
- IV.N.3(a) IT Project Request
- IV.N.3(b) Business Case
- IV.N.3(c) Feasibility Study
- IV.N.3(d) IT Project Plans
- IV.N.3(e) Closeout Documentation
- IV.O System Development Life Cycle
- IV.O.1 SDLC Phases
- IV.O.1(a) Initiation
- IV.O.1(b) Development or Acquisition
- IV.O.1(c) Implementation and Assessment
- IV.O.1(d) Operations and Maintenance
- IV.O.1(e) Sunset and Disposal
- IV.P Third-Party Relationship Risk Management
- IV.P.1 Planning
- IV.P.2 Due Diligence and Third-Party Selection
- IV.P.3 Contract Negotiation
- IV.Q Supply Chain Considerations
- IV.Q.1 Supply Chain Risk Management
- IV.Q.2 Software Bill of Material
- IV.Q.3 Enterprise Risk Management and Supply Chain Risks
- V Development
- V.A Development Standards and Controls
- V.B Testing
- V.C DevOps and DevSecOps
- V.C.1 DevOps
- V.C.2 DevSecOps
- V.D Functional Development Types
- V.D.1 Model Development
- V.D.2 Database Development
- VI Acquisition
- VI.A Acquisition Policies, Standards, and Procedures
- VI.B Acquisition Projects
- VI.C Solicitation
- VI.D Evaluation
- VI.E Contracts and Other Agreements
- VI.E.1 Statement of Work
- VI.E.2 Master Services Agreement
- VI.E.3 Service Level Agreement
- VI.E.4 Contracts
- VI.E.5 Escrowed Source Code Agreements and Documentation
- VI.E.6 Exit Strategy
- VII Maintenance
- VII.A Preventive Maintenance
- VII.B Change Management
- VII.B.1 Implementing Changes
- VII.B.2 Additional Control Considerations in Change Management
- VII.B.2(a) Data Controls in the Testing Environment
- VII.B.2(b) Library Controls
- VII.B.2(c) Code Repository Controls
- VII.B.3 Change Types
- VII.B.3(a) Routine Modifications
- VII.B.3(b) Major Modifications
- VII.B.3(c) Emergency Modifications
- VII.B.4 Change Management Documentation
- VII.B.4(a) Change Request Form
- VII.B.4(b) Impact Analysis
- VII.B.4(c) Rollback or Back-Out Plan
- VII.C End-of-Life
- VII.D Termination and Disposal
- VII.E Maintenance Documentation
- Appendix A: Examination Procedures
- Appendix B: Glossary
- Appendix C: Abbreviations
- Appendix D: References

Named provisions

Introduction Overview of Development, Acquisition, and Maintenance Governance of Development, Acquisition, and Maintenance Risk Management of Development, Acquisition, and Maintenance