A recent cybersecurity audit for the federal credit union regulatory agency concludes that the agency needs to enhance its account recertification process for privileged users and to strengthen its Security Information and Event Management (SIEM) tool processes.
The cybersecurity audit for the National Credit Union Administration was performed by an outside audit firm, CliftonLarsonAllen LLP (CLA), the report shows. The aim of the performance audit, the firm wrote, was to assess the effectiveness of the NCUA’s firewalls and SEIM solution “to determine if they are designed and implemented to prevent and detect security threats to the NCUA network.” The audit field work, it said, was conducted at the agency’s headquarters in Alexandria, Va., from Oct. 19, 2022, to March 16, 2023.
The May 2 audit report suggests, specifically, that:
- The NCUA needs to enhance the account recertification process for privileged users.
- Accounts that have access to cybersecurity devices such as firewalls and the SIEM tool were not periodically recertified to determine whether accounts are still needed. The NCUA Information Security Procedural Manual requires the review of accounts for compliance with account management requirements at least quarterly.
- The NCUA needs to strengthen its SIEM tool audit logging and collection, visibility, and retention processes. Specifically, the NCUA needs to implement the following logging requirements specified in the Office of Management and Budget (OMB) Memorandum 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents:
- Ingesting all required basic logging categories into its SIEM.
- The capacity for data storage for required minimum logging data retention periods.
The report states these weaknesses are inconsistent with the Government Accountability Office (GAO) Standards for Internal Control in the Federal Government.
Four recommendations in all were provided. The first addresses privileged access to the agency’s cybersecurity mechanisms; the other three focus on resolving the SEIM tool issues in keeping with Office of Management and Budget (OMB) Memorandum 21-31, Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents. They are:
- Recommendation 1: Include in its quarterly review process, privileged accounts with access to cybersecurity devices such as firewalls and the SIEM tool.
- Recommendation 2: Complete the risk-based selection and procurement of additional audit logging tools needed to strengthen audit logging, retention, and visibility to fully implement the minimum logging requirements stipulated in 0MB M-21-31.
- Recommendation 3: Acquire the additional resources needed to fully implement the minimum logging requirements stipulated in OMB M-21-31.
- Recommendation 4: Complete implementation of OMB M-21-31 to achieve past due Event Logging 1 and 2 maturity levels and to meet the Event Logging 3 maturity due by August 27, 2023.
The NCUA agreed with all four recommendations, noting it has addressed the first and plans to complete actions on the other three by the end of 2024.