On May 30, 2023, NCUA’s Office of Inspector General issued its semiannual report to Congress covering the six-month period October 2022 through March 2023.
The report provided a general recap of the NCUA, and its OIGs, activities over the six-month period, including: highlights of the conditions present in the federally insured credit union industry, structural changes within NCUA, legislative highlights, audit activity as well as a listing of unimplemented MLR or Audit recommendations outstanding.
Highlights of the report NASCUS believes most relevant, with report page reference for detailed review, include:
AMAC Reestablished as an Independent Office
Page 6
- On December 1, 2022, the Asset Management and Assistance Center (AMAC) was pulled out of the Southern Region and made into an independent office under the Field Program Offices. Offices are still located in Austin, Texas. Previous Deputy Cory Phariss (formerly under Southern Region Director Keith Morton) was named AMAC’s new president and now provides independent advisement to the NCUA Board on managing recoveries for the NCUSIF, implementing liquidation payouts, etc.
Charles Vice Selected as Director of Financial Technology and Access
Page 6
- On January 3, 2023, former Kentucky Commissioner Charles Vice as named the Director of Financial Technology and Access, a newly established office created to advise the NCUA Board on fintech developments, cryptocurrency, blockchain and distributed ledger technology as well as methodologies to enhance NCUA’s virtual supervision processes and promote technology and other innovations in the industry.
OIG-22-07 FY 2022 Independent Audit of the NCUA’s Compliance with FISMA 2014
Page 13
- CliftonLarsonAllen (CLA) performed a review of 20 OMB required core metrics in five security function areas (Identify, Protect, Detect, Respond, and Recover) to determine the effectiveness of the NCUA’s information security program (ISP) and the respective maturity levels. CLA concluded the NCUA ISP achieved an overall level 4- Managed and Measurable maturity level, complied with FISMA, and achieving the minimum to be considered effective overall. Weaknesses noted included the ineffective implementation of a subset of selected controls, especially four new weaknesses that fell in the risk management, identity, access management, and configuration management domains of the FY 2022 core metrics and resulting in four new recommendations to strengthen its ISP.
NCUA Audits Currently In Progress
Page 15
- OIG audits currently in process include: NCUA’s Contracting Officer’s Representative (COR) Program; NCUA’s BSA Act Enforcement; Preventing and Detecting Cyber Threats (firewall and SIEM solution effectiveness); NCUA’s Quality Assurance Program and NCUA’s Federal Chartering Activities.
Unfulfilled Recommendations Currently Outstanding
- A material number of the unaddressed recommendations outstanding relate to NCUA Information Technology Systems and/or continuity of operations. The following is not an exhaustive list of recommendations outstanding but those considered most substantial.
OIG-22-09 Audit of the NCUA’s Continuity of Operations Program (COOP),
Page 14
- As the result of a self-initiated audit of the NCUA’s COOP it was determined a full failover test of NCUA’s IT network should be initiated to ensure potential weaknesses are identified and corrected. Further, the Office of Continuity and Security Management (OCSM) and the Office of the Chief Information Officer (OCIO), the two main offices involved in the COOP and security matters, should work to improve communications between their respective offices. Four recommendations within the report were provided to address the issues identified.
Material Loss Review Significant Recommendations on Which Corrective Action Has Not Been Completed
Page 17
- OIG-18-07 FY2018 Federal Information Security Modernization Act Compliance, recommendation #8 – Enforcement of policy to remediate patch and configuration related vulnerabilities within agency defined timeframes.
- OIG-22-06 Audit of the NCUA’s Minority Depository Institutions Preservation Program, Recommendation #2 – Implement and document appropriate policies and procedures to validate whether minority depository institutions continue to meet the minority depository institution definition.
Unfulfilled Recommendations Over 6 Months Old.
Page 18
- OIG-18-07 FY2018 Federal Information Security Modernization Act Compliance, Recommendation #6—OCSM to complete employee background reinvestigations; #8 – Enforcement of policy to remediate patch and configuration-related vulnerabilities within agency defined timeframes; #9 — OCIO to implement a process to detect and migrate unsupported software to supported platforms; #10 – OCIO to implement a process to identify authorized software in its environment and remove unauthorized software.
- OIG-19-10 NCUA Federal Information Security Modernization Act of 2014 Audit; Recommendation #4 – Implement, test, and monitor standard baseline configurations for all platforms in the NCUA IT environment in compliance with established NCUA security standards and document approved deviations from the baseline.
- OIG-21-06 Audit of the NCUA’s Governance of Information Technology Initiatives, Recommendation #1 – Document and publish IT Investment Management policies and procedures to include definitions, roles, responsibilities, and processes associated with IT governance and selecting, controlling, and evaluating information technology investments.
- OIG-21-09 NCUA Federal Information Security Modernization Act of 2014 Audit, Recommendation #1 – Review Supply Chain Risk Management NIST guidance and update plans, policies, and procedures.; Recommendation #2 – Document and implement a plan to deploy multifactor authentication to address increased risks with personnel teleworking without a PIV card; Recommendation #5 – Complete and issue policies to implement the Controlled Unclassified Information (CUI) program; Recommendation #7 – Redacted recommendation under 5 U.S.C. 552 (b)(7)(E).
Recommendations for Corrective Action Made During the Reporting Period
Page 21
- OIG-22-07 NCUA Federal Information Security Modernization Act Audit, Recommendation #1 – Enforce the process to validate that expired MOUs and those expiring are prioritized for review, update, and renewal; Recommendation #2 – Conduct a workload analysis with OCIO and document a staffing plan to allocate sufficient resources to improve its ability to perform remediation of persistent vulnerabilities caused by missing patches, configuration weaknesses, and outdated software; Recommendation #3 – Analyze technologies employed within NCUA operational environment and document a plan to reduce the wide variety of different technologies requiring support and vulnerability remediation; Recommendation #4 – Implement a solution that resolved the privileged access management vulnerability.
OIG-22-09 Audit of NCUA’S Continuity of Operations Program
Report on Non-Material Losses to the NCUSIF
Page 22
- Over the covered six-month period, limited reviews of four failed credit unions that incurred losses to the fund in amounts less than $25 million. The initial reviews indicated none of the losses warranted conducting additional audit work as they (1) were not unusual circumstances or (2) reasons identified for failure are already addressed in recommendations to the agency in the MLR Capping report or other MLR reports.
(Oct. 8, 2021) Four recommendations to improve NCUA’s information technology investment management program are laid out in a report from the agency’s office of inspector general (OIG), made public this week.
The recommendations made to agency management, in a report of an audit initiated by the OIG, are:
- Document and publish information technology investment management policies and procedures to include definitions, roles, responsibilities, and processes associated with information technology governance and selecting, controlling, and evaluating information technology investments.
- Finalize and publish an updated agency IT oversight council charter that more comprehensively addresses and delineates the council’s information technology investment management authority, responsibilities, and functions.
- Keep the language from the April 2019 charter, or include similar language in its new charter, requiring the council to provide a rated and ranked listing of all office of primary interest-proposed projects to the NCUA Board, highlighting those that are statutorily or legally required.
- Include language in the council’s charter requiring NCUA officials to provide the group’s meeting minutes to the NCUA Board.
According to the report, the audit covered the period of Jan. 1, 2016, through Dec. 31, 2019. NCUA Inspector General (IG) James Hagen wrote that, although the audit found that the agency overall had an effective process for managing IT initiatives across the agency, “we also determined the agency could make some improvements in its IT Investment Management program related to its policies and procedures and transparency, as well as ensuring certain functions of the Information Technology Oversight Counsel (ITOC) are clearer.”
The IG found that the agency needs to document its IT investment management policies and procedures; needs to make the scope of the Information Technology Prioritization Council’s (ITPC) authority, responsibilities, and functions clearer; and needs more transparency in the IT Investment Management process.
Hagen wrote that the audit also considered Office of the Chief Information Officer’s (OCIO) concerns regarding the funding of IT projects that fall outside of operations and maintenance support and below the threshold of capital projects. The report made no recommendations regarding funding, Hagen wrote, since the agency CIO is already addressing that.
LINK:
Audit of the NCUA’s Governance of Information Technology Initiatives, Sept. 28, 2021 (Report #OIG-21-06)