ALEXANDRIA, Va.–NCUA has now addressed and resolved 13 recommendations for improving its information security program, according to a report by its Office of Inspector General (OIG).
There is one final outstanding recommendation still to be addressed, with the agency saying it will be wrapped up in 2019.
NCUA said it engaged CliftonLarsonAllen, LLP (CLA) to independently evaluate its IT and privacy management programs and controls for compliance with the Federal Information Security Modernization Act of 2014 (FISMA 2014) and federal regulations and standards.
CliftonLarsonAllen evaluated NCUA's information security and privacy management programs through interviews, documentation reviews, technical configuration reviews, and sample testing, according to the OIG report. It also conducted a vulnerability assessment of NCUA's network, and measured performance against FISMA 2014, the E-Government Act, National Institute of Standards and Technology (NIST) standards and guidelines, the Privacy Act, and Office of Management and Budget (OMB) memoranda and privacy and information security policies, the report said.
According to the report, NCUA has:
- Addressed and closed its six remaining recommendations from the FY 2016 FISMA report
- Addressed and closed seven of its eight recommendations from the FY 2017 FISMA report.
- Provided documentation that indicates closure of the remaining recommendation. However, the OIG said it received this documentation too late for CLA to adequately and fully assess it for this FISMA reporting. The OIG said it will assess the documentation during FISMA 2019 to determine the status of this recommendation.
The report also offers 10 additional recommendations addressing a continuous monitoring program; documentation of system changes; personnel background investigations not yet completed; and remaining network vulnerabilities.