4 new weaknesses found in latest OIG report on NCUA compliance with info security law; 12 prior recommendations remain open

Findings of four new weaknesses are detailed in a recent Office of Inspector General (OIG) report on the National Credit Union Administration’s (NCUA) compliance with the Federal Information Security Modernization Act (FISMA) and agency information security and privacy practices, policies, and procedures.

The firm, CliftonLarsonAllen LLC, said audit fieldwork covered the NCUA’s headquarters located in Alexandria, Va., from March 17, 2023, to July 6, 2023, assessing the period from October 1, 2022, through July 6, 2023, according to the report dated Sept. 14 and available on the NCUA website.

The firm said it noted in the report “four new weaknesses under the configuration management and identity and access management domains of the FY 2023 IG FISMA Reporting Metrics.” It said it made two new recommendations to assist NCUA in strengthening its information security program and pointed out that 12 prior FISMA recommendations remain open.

The four new weaknesses included that the NCUA:

  • was not consistent implementing an automated process to disable inactive network user accounts in accordance with agency policy;
  • needs to strengthen its vulnerability management program:
  • needs to require multifactor authentication to the NCUA network for all non-privileged users; and
  • needs to ensure rules of behavior are consistently completed timely for new contractors.

The two recommendations for improvements address the first and fourth findings noted above; the NCUA agreed with both and has completed the first and plans to complete the second by year-end, the report states.

NCUA Federal Information Security Modernization Act of 2014 Audit – Fiscal Year 2023 (Report #OIG-23-08)