NCUA earns ‘level 4’ rating in latest info security performance audit

The federal regulator of credit unions earned just shy of the top “maturity” level rating for its information security program for the fiscal year ending Sept. 30, 2022 – and received four recommendations for strengthening it – in an independent performance audit conducted under the Federal Information Security Modernization Act of 2014.

Ten prior recommendations also remain open, the audit report states.

In its report, independent auditor CliftonLarsonAllen LLP concluded that the National Credit Union Administration (NCUA) implemented an effective information security program by achieving an overall Level 4 – Managed and Measurable maturity level (at least a Level 4 rating is required to be considered effective; 5 – Optimized is the top rating). It also said the agency complied with FISMA; and substantially complied with agency information security and privacy policies and procedures.

While rating the agency a 4 under FISMA, the firm also noted that the agency’s implementation of a subset of selected controls was not fully effective. “Specifically, we noted four new weaknesses that fell in the risk management, identity and access management, and configuration management domains of the FY 2022 Core Metrics,” the firm said in its report. “As a result, we are making four new recommendations to assist NCUA in strengthening its information security program. In addition, ten prior FISMA recommendations remain open.”

The NCUA Office of Inspector General (OIG), in a letter prefacing the report, said the agency concurred with the four recommendations and had planned corrective actions. The recommendations are:

  • Enforce the process to validate that expired memoranda of understanding (MOUs) and those expiring are prioritized for review, update, and renewal in accordance with NCUA policy.
  • Conduct a workload analysis within the Office of Chief Information Officer (OCIO) and document a staffing plan to allocate appropriate and sufficient resources to improve OCIO’s ability to perform remediation of persistent vulnerabilities caused by missing patches, configuration weaknesses, and outdated software.
  • Conduct an analysis of the technologies employed within the NCUA operational environment and document a plan to reduce the wide variety of differing technologies requiring support and vulnerability remediation, as feasible.
  • Implement a solution that resolves the privileged access management vulnerability. (A discussion in the report points to lack of multifactor authentication for privileged users.)
NCUA Report #OIG-22-07 (Oct. 26, 2022)