IG report contains 2 recommendations for NCUA to improve information security programs

9 previous recommendations still open, report says

Two new recommendations were made to the National Credit Union Administration (NCUA) in a recent audit report to help the agency improve the effectiveness of its information security and its privacy programs and practices, the agency’s inspector general said in its report issued Nov. 16.

The report (#OIG-20-09, “National Credit Union Administration Federal Information Security Modernization Act of 2014 Audit – Fiscal Year 2020”), gives results of a performance audit conducted by auditing firm CliftonLarsenAllen to help the NCUA IT’s office in assessing the agency’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA) and the agency’s information security and privacy policies and procedures. The fiscal 2020 report is based on the firm’s work from June 10 through Oct. 20, 2020, at the NCUA’s headquarters office in Alexandria, Va.

FISMA requires agencies to develop, implement, and document an agency-wide information security program and practices and requires IGs to conduct an annual independent evaluation of their agencies’ information security programs and report the results to the Office of the Management and Budget (OMB).

“We concluded that the NCUA has, for the most part, formalized and documented its policies, procedures, and strategies; however, the NCUA faces certain challenges in the consistent implementation of its information security program and practices,” the firm said in its report to the agency.

The report points to improvements and effective controls related to training, incident response, and contingency planning, but it also identified weaknesses in three of the eight domains of the FY 2020 IG FISMA Reporting Metrics related to risk management, configuration management, and identity and access management. “These control weaknesses effect the NCUA’s ability to preserve the confidentiality, integrity, and availability of the Agency’s information and information systems, potentially exposing them to unauthorized access, use, disclosure, disruption, modification, or destruction,” the report states.

The firm made two recommendations, both focusing on ensuring system accounts for separated employees and contractors are disabled within the time frame established by agency policy; the NCUA concurred and set a target of Dec. 31, 2021, for completing these steps. The report also noted that nine of the 21 prior FISMA open recommendations (detailed here last year) related to the NCUA’s security program and practices remain open.