OIG-21-09 NCUA Federal Information Security Modernization Act of 2014 Audit—Fiscal Year 2021, issued November 22, 2021, Number of Open Recommendations: 7, Potential Cost Savings: $0 Recommendation#1—Review the SCRM NIST guidance and update the SCRM plan, policies, and procedures to fully address supply chain risk management controls and practices. Recommendation #2—Document and implement a plan to deploy multifactor authentication to address increased risks with the large number of personnel teleworking without a PIV card during the pandemic. Recommendation #3—Implement automatic disabling of inactive Salesforce Call Center user accounts for DOCA users in accordance with NCUA policy. Recommendation #4—Document and approve a formal acceptance of risk for not disabling Salesforce inactive accounts after 30 days in accordance with NCUA policy for users whose business needs do not require regular access to the system. Recommendation #5—Complete and issue policies to implement the CUI program. Recommendation #6—Upon issuance of the CUI policies, design and implement media marking to designate protection standards for safeguarding and/or disseminating agency information. Recommendation #7— [Note: We redacted this recommendation under (b) (7)(E)].