National Credit Union Administration Federal Information Security Modernization Act of 2014 Audit - Fiscal Year 2025

View Report

Date Issued

Wednesday, August 20, 2025

Submitting OIG

National Credit Union Administration OIG

Agencies Reviewed/Investigated

National Credit Union Administration

Report Number

OIG-25-08

Report Description

This report summarizes the results of Sikich’s independent evaluation and contains ten new recommendations that will assist the agency in improving the effectiveness of its information security and its privacy programs and practices. NCUA management concurred with and has identified corrective actions to address the recommendations.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://ncua.gov/about/inspector-general/oig-reports/audit-reports

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1.OIG-25-08	No	$0	$0
Document policies and procedures for developing and maintaining current and target cybersecurity profiles that include, at a minimum, consideration of the NCUA’s mission objectives, threat landscape, and resources (including personnel) and constraints.
2.OIG-25-08	No	$0	$0
Create and maintain current and target cybersecurity profiles—including a gap analysis that identifies differences between the current and target state—that consider anticipated changes in the NCUA’s cybersecurity posture.
3.OIG-25-08	No	$0	$0
Update and maintain the comprehensive inventory of data and the corresponding metadata to meet the requirements of the Open Government Data Act and OMB Memorandum M-25-05 by the established September 2026 deadline.
4.OIG-25-08	Yes	$0	$0
Implement baseline compliance monitoring for routers, switches, and firewalls on the NCUA network. This includes documenting deviations from the configuration baselines and providing business justifications for these deviations.
5.OIG-25-08	No	$0	$0
Improve processes to ensure that the NCUA remediates workstation vulnerabilities within agency-required timelines, including monitoring for workstations that have been disconnected from the network for an extended period of time.
6.OIG-25-08	No	$0	$0
Develop and implement procedures to remediate vulnerabilities for the (b) (7)(E) within NCUA timeline requirements that fall outside of the (b) (7)(E) monthly patching schedule.
7.OIG-25-08	No	$0	$0
Coordinate with (b) (7)(E) to upgrade the (b) (7)(E) software or document any risk-based decisions, including compensating controls.
8.OIG-25-08	No	$0	$0
Conduct a review of all current (b) (7)(E) privileged user accounts to ensure that the NCUA has documented access requests and approvals for each privileged user account, as required by NCUA policies and procedures.
9.OIG-25-08	No	$0	$0
Validate that the NCUA completes quarterly account reviews for the (b) (7)(E) and (b) (7)(E) systems.
10.OIG-25-08	No	$0	$0
Implement automatic disabling of privileged (b) (7)(E) user accounts upon 30 days of inactivity or document any risk-based decisions, including compensating controls.