NASCUS Summary of the OIG NCUA Semiannual Report to Congress

On May 30, 2023, NCUA’s Office of Inspector General issued its semiannual report to Congress covering the six-month period October 2022 through March 2023.

The report provided a general recap of the NCUA, and its OIGs, activities over the six-month period, including: highlights of the conditions present in the federally insured credit union industry, structural changes within NCUA, legislative highlights, audit activity as well as a listing of unimplemented MLR or Audit recommendations outstanding.

---

Highlights of the report NASCUS believes most relevant, with report page reference for detailed review, include:

AMAC Reestablished as an Independent Office
Page 6

• On December 1, 2022, the Asset Management and Assistance Center (AMAC) was pulled out of the Southern Region and made into an independent office under the Field Program Offices.  Offices are still located in Austin, Texas.  Previous Deputy Cory Phariss (formerly under Southern Region Director Keith Morton) was named AMAC’s new president and now provides independent advisement to the NCUA Board on managing recoveries for the NCUSIF, implementing liquidation payouts, etc.

Charles Vice Selected as Director of Financial Technology and Access
Page 6

• On January 3, 2023, former Kentucky Commissioner Charles Vice as named the Director of Financial Technology and Access, a newly established office created to advise the NCUA Board on fintech developments, cryptocurrency, blockchain and distributed ledger technology as well as methodologies to enhance NCUA’s virtual supervision processes and promote technology and other innovations in the industry.

OIG-22-07 FY 2022 Independent Audit of the NCUA’s Compliance with FISMA 2014
Page 13

• CliftonLarsonAllen (CLA) performed a review of 20 OMB required core metrics in five security function areas (Identify, Protect, Detect, Respond, and Recover) to determine the effectiveness of the NCUA’s information security program (ISP) and the respective maturity levels.  CLA concluded the NCUA ISP achieved an overall level 4- Managed and Measurable maturity level, complied with FISMA, and achieving the minimum to be considered effective overall.  Weaknesses noted included the ineffective implementation of a subset of selected controls, especially four new weaknesses that fell in the risk management, identity, access management, and configuration management domains of the FY 2022 core metrics and resulting in four new recommendations to strengthen its ISP.

NCUA Audits Currently In Progress
Page 15

• OIG audits currently in process include: NCUA’s Contracting Officer’s Representative (COR) Program; NCUA’s BSA Act Enforcement; Preventing and Detecting Cyber Threats (firewall and SIEM solution effectiveness); NCUA’s Quality Assurance Program and NCUA’s Federal Chartering Activities.

Unfulfilled Recommendations Currently Outstanding

• A material number of the unaddressed recommendations outstanding relate to NCUA Information Technology Systems and/or continuity of operations.  The following is not an exhaustive list of recommendations outstanding but those considered most substantial.

OIG-22-09 Audit of the NCUA’s Continuity of Operations Program (COOP),
Page 14

• As the result of a self-initiated audit of the NCUA’s COOP it was determined a full failover test of NCUA’s IT network should be initiated to ensure potential weaknesses are identified and corrected.  Further, the Office of Continuity and Security Management (OCSM) and the Office of the Chief Information Officer (OCIO), the two main offices involved in the COOP and security matters, should work to improve communications between their respective offices.  Four recommendations within the report were provided to address the issues identified.

Material Loss Review Significant Recommendations on Which Corrective Action Has Not Been Completed
Page 17

• OIG-18-07 FY2018 Federal Information Security Modernization Act Compliance, recommendation #8 – Enforcement of policy to remediate patch and configuration related vulnerabilities within agency defined timeframes.
• OIG-22-06 Audit of the NCUA’s Minority Depository Institutions Preservation Program, Recommendation #2 – Implement and document appropriate policies and procedures to validate whether minority depository institutions continue to meet the minority depository institution definition.

Unfulfilled Recommendations Over 6 Months Old.
Page 18

• OIG-18-07 FY2018 Federal Information Security Modernization Act Compliance, Recommendation #6—OCSM to complete employee background reinvestigations; #8 – Enforcement of policy to remediate patch and configuration-related vulnerabilities within agency defined timeframes; #9 — OCIO to implement a process to detect and migrate unsupported software to supported platforms; #10 – OCIO to implement a process to identify authorized software in its environment and remove unauthorized software.
• OIG-19-10 NCUA Federal Information Security Modernization Act of 2014 Audit; Recommendation #4 – Implement, test, and monitor standard baseline configurations for all platforms in the NCUA IT environment in compliance with established NCUA security standards and document approved deviations from the baseline.
• OIG-21-06 Audit of the NCUA’s Governance of Information Technology Initiatives, Recommendation #1 – Document and publish IT Investment Management policies and procedures to include definitions, roles, responsibilities, and processes associated with IT governance and selecting, controlling, and evaluating information technology investments.
• OIG-21-09 NCUA Federal Information Security Modernization Act of 2014 Audit, Recommendation #1 – Review Supply Chain Risk Management NIST guidance and update plans, policies, and procedures.; Recommendation #2 – Document and implement a plan to deploy multifactor authentication to address increased risks with personnel teleworking without a PIV card; Recommendation #5 – Complete and issue policies to implement the Controlled Unclassified Information (CUI) program; Recommendation #7 – Redacted recommendation under 5 U.S.C. 552 (b)(7)(E).

Recommendations for Corrective Action Made During the Reporting Period
Page 21

• OIG-22-07 NCUA Federal Information Security Modernization Act Audit, Recommendation #1 – Enforce the process to validate that expired MOUs and those expiring are prioritized for review, update, and renewal; Recommendation #2 – Conduct a workload analysis with OCIO and document a staffing plan to allocate sufficient resources to improve its ability to perform remediation of persistent vulnerabilities caused by missing patches, configuration weaknesses, and outdated software; Recommendation #3 – Analyze technologies employed within NCUA operational environment and document a plan to reduce the wide variety of different technologies requiring support and vulnerability remediation; Recommendation #4 – Implement a solution that resolved the privileged access management vulnerability.

OIG-22-09 Audit of NCUA’S Continuity of Operations Program

Report on Non-Material Losses to the NCUSIF
Page 22

• Over the covered six-month period, limited reviews of four failed credit unions that incurred losses to the fund in amounts less than $25 million.  The initial reviews indicated none of the losses warranted conducting additional audit work as they (1) were not unusual circumstances or (2) reasons identified for failure are already addressed in recommendations to the agency in the MLR Capping report or other MLR reports.