The federal credit union regulator’s information security program was found to be “effective overall” in a recent independent audit report, but the auditor reported five new weaknesses in the controls selected for review and gave 10 recommendations for improvements.
The independent audit for the National Credit Union Administration’s info security program and practices was conducted by an outside firm engaged by the agency’s inspector general (IG) office, the IG said in its memo prefacing the report. The audit is done yearly in conformance with the 2014 Federal Information Security Modernization Act (FISMA). The report, dated Aug. 20, said the audit covered the period from Oct. 1, 2024, through July 14, 2025.
The 10 recommendations addressed five specific findings in four areas of reporting metrics: cybersecurity governance, configuration management, identity and access management, and risk and asset management. The five weaknesses noted were that the agency:
- did not develop an organizational cybersecurity profile or related policies and procedures;
- did not maintain an up-to-date inventory of its data and corresponding metadata;
- did not monitor compliance with the configuration settings for all networking equipment;
- did not consistently resolve vulnerabilities for workstations and a [text redacted] within required timelines; and
- did not consistently implement account management controls.
The agency’s OIG said NCUA management concurred with the 10 recommendations and noted its planned corrective actions.
The report also noted that the agency had addressed 14 of the 17 open recommendations remaining at the beginning of fiscal 2025 from previous FISMA audits, and those 14 were considered closed.
Leave a Reply