IG’s info security report on NCUA cites control weaknesses, makes 15 recommendations

Fifteen recommendations for strengthening the National Credit Union Administration’s (NCUA) information security program are detailed in a fiscal 2019 inspector general report on the agency’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA).

The 15 recommendations include two that are outstanding from the fiscal 2018 FISMA report. The 2018 report provided 11 recommendations, of which a total of six remain outstanding (three of which had not been scheduled for completion until this Dec. 31 and one not until Dec. 31, 2022).

FISMA requires agencies to develop, implement, and document an agency-wide information security program and practices. It also requires inspectors general (IG) to conduct an annual independent evaluation of their agencies’ information security programs and report the results to the Office of the Management and Budget (OMB).

The fiscal 2019 report for NCUA was conducted by an outside firm, CliftonLarsenAllen LLP, which was engaged to help the NCUA IG in assessing the agency’s compliance with FISMA and agency information security and privacy policies and procedures.

“We concluded that the NCUA has, for the most part, formalized and documented its policies, procedures, and strategies; however, the NCUA faces certain challenges in the consistent implementation of its information security program and practices,” according to an executive summary of the report. “We identified weaknesses in five of the eight domains of the FY 2019 IG FISMA Reporting Metrics related to risk management, configuration management, identity and access management, data protection and privacy, and information security continuous monitoring.”

The “domains” noted in the report refer to the eight domains over which 67 objective questions are divided under the FY 2019 IG FISMA Metrics. Those eight domains, which correspond to five security functions, include the above-noted domains plus security training, incident response, and contingency planning.

The report says these control weaknesses affect the agency’s ability to preserve the confidentiality, integrity, and availability of NCUA information and information systems, “potentially exposing them to unauthorized access, use, disclosure, disruption, modification, or destruction,” the report says.

NCUA management concurred with the recommendations and provided a plan for implementing them, with the corrections slated at points throughout calendar 2020.

Report #OIG-19-10 (Dec. 12, 2019)