"The NCUA has transitioned its priority from performing Automated Cybersecurity Examination Tool (ACET) cybersecurity maturity assessments, to evaluating critical security controls. The NCUA is also piloting an Information Technology Risk Examination solution for Credit Unions (InTREx-CU). InTREx-CU harmonizes the IT and Cybersecurity examination procedures shared by the Federal Deposit Insurance Corporation, the Federal Reserve System, and some state financial regulators to ensure consistent approaches are applied to community financial institutions."
Since this statement from the NCUA, and the publication of similar 2021 Supervisory Priorities, the Tandem team has received several questions regarding the changes in examination expectations and how these changes will be addressed in Tandem. This article addresses the questions we are hearing about this topic.
For a thorough webinar version of this information, watch a recording of ACET, InTREx-CU, and ISAEP: Preparing for Changes to Your NCUA Exam presented by Leticia Saiid on December 8th, 2020.
What is different between ACET and InTREx-CU?
Several acronyms surfaced when we were researching the relationship between ACET and InTREx-CU and what credit unions should expect in upcoming exams. Here is a brief explanation of each acronym and their relationship to each other.
To best understand the NCUA's ACET, it is important to look at its predecessor, the FFIEC's Cybersecurity Assessment Tool (CAT). The CAT was originally published in June 2015 by the FFIEC. Per the website, it was designed to "provide a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time." The CAT is a self-assessment tool, originally designed for banks and credit unions to use themselves to assess their risk and determine their cybersecurity preparedness.
Shortly after the CAT was published, Tandem created the Cybersecurity product. Tandem Cybersecurity is a cloud-based software, designed to make it easier for financial institutions to complete the CAT, compare their results to peer financial institutions, and report on their cybersecurity maturity.
In 2018, the NCUA adopted the CAT and appended a few features, designed solely for the purpose of examination. They referred to this combination as the ACET, short for Automated Cybersecurity Examination Tool. The ACET used the CAT maturity statements and integrated them into a spreadsheet which also included a dashboard, a document request list, and additional commentary to be used in the examination process.
ACET is an exam built on top of a self-assessment. ACET was first used in 2018 to examine credit unions over $1 billion in assets. In 2019, it was used to examine credit unions over $250 million in assets, which brings us to 2020, where the ACET was used in examinations for credit unions of all asset sizes. According to a report from the NCUA, the purpose of the ACET was not to be a long-term examination program, but to "benchmark" credit unions, measuring the industry's cybersecurity preparedness.
Shortly after the ACET was published, Tandem added features to the Cybersecurity product to make it easier for credit unions to complete the request list and download their CAT in the spreadsheet format the NCUA would expect credit unions to complete during their exams.
The Federal Deposit Insurance Corporation's InTREx Program (short for Information Technology Risk Examination Program) was published on June 30, 2016. According to a letter published by the FDIC (FIL-43-2016) the "InTREx Program is an enhanced, risk-based approach for conducting IT examinations." The FDIC's InTREx Program is the foundation for which the NCUA is piloting their own version, InTREx-CU. A goal of this exam model adoption is to have an examination focused on critical security controls. InTREx-CU is more like previous exams than the ACET, as there is not a spreadsheet with hundreds of questions for credit unions to complete. Instead, InTREx-CU will be designed for examiners to use in the process of examination in assessing a credit union's implementation of critical controls.
- The CAT is a self-assessment tool.
- The InTREx is an examination program.
- The ACET caused some confusion, as it blurred the lines between a self-assessment tool and an examination tool.
Based on this information, InTREx-CU is not a wholesale replacement of ACET. ACET is the combination of the CAT self-assessment tool and an examination program, whereas InTREx-CU will be solely an examination tool. This distinction sets the examination apart from a self-assessment, which helps ensure all parties can conduct a thorough, independent review of controls. While examiner attention is being reprioritized from the ACET to InTREx-CU, the NCUA's 2021 Supervisory Priorities indicate they will continue to support the ACET as a self-assessment resource, helping credit unions continue to assess their cybersecurity risk and maturity outside of the NCUA's examination process.
What other terms should I know related to the examination changes?
Regarding the NCUA's transition to a new examination program, several other acronyms have been used in NCUA materials (e.g., supervisory letters, press releases, memorandums, webinars, etc.). To reduce confusion and provide context for these terms, here is a brief explanation of each acronym and its relation to the upcoming exam changes.
ISAEP stands for Information Systems and Assurance Examination Program. This is a new term, most often used informally by NCUA representatives when referring to the cybersecurity examination process. Its first official published use was in a NCUA Board Action Memorandum dated December 16, 2020.
MERIT stands for Modern Examination and Risk Identification Tool. MERIT is a web-based exam platform NCUA examiners began piloting in September 2019 and will use to conduct future exams. It will replace the NCUA's AIRES legacy examination application. The official release date has not been announced, as the product is still being pilot tested, but it is estimated to be released in the third quarter of 2021.
CSET stands for Cyber Security Evaluation Tool. CSET is a downloadable application designed for the Department of Homeland Security (DHS) by the Cybersecurity & Infrastructure Security Agency (CISA) and Idaho National Labs (INL). The CSET is a self-assessment tool for non-financial industries to assess their cybersecurity posture. The NCUA contracted with INL to build the ACET into a format similar to the CSET for credit unions to use as a free option. To access this option, ask your NCUA examiner. In a NCUA Board Action Memorandum dated December 16, 2020, the writers reference an "Automated Cybersecurity Evaluation Toolbox (ACET) self-assessment solution." It's unclear at this point if that is the solution built by INL, the spreadsheet ACET, or something else.
Exam Planning Questionnaire
In the 2021 Supervisory Priorities, the NCUA announced they will be incorporating an Exam Planning Questionnaire into the examination process. This questionnaire will help examiners better prepare for examinations by providing them with information needed to "refine the exam scope, increase offsite-monitoring capabilities, and incorporate efficiencies to the exam." The NCUA states they will be providing additional information about the questionnaire in the future.
How can I be prepared for the coming changes?
1. Be prepared to continue completing a cybersecurity self-assessment.
The NCUA 2021 Supervisory Priorities indicate the NCUA will continue to support the ACET as a self-assessment resource. The examination process moving to the InTREx-CU does not imply you should no longer complete a cybersecurity self-assessment, such as the ACET, which is based on the CAT.
Performing a self-assessment like the ACET / CAT remains beneficial for several reasons.
- It is aligned with the FFIEC IT Examination Handbook, the NIST Cybersecurity Framework, and industry-accepted cybersecurity practices.
- It offers a way for financial institutions to review their own cybersecurity posture without an auditor or examiner.
- It provides a way to demonstrate current and potential cybersecurity maturity to senior management.
- It allows you to compare your current cybersecurity posture against the past or to other institutions, if using a product like Tandem.
While the final InTREx-CU Program may not request the ACET spreadsheet, the FDIC's InTREx expects institutions to use an industry-accepted framework to assess cybersecurity maturity. The NCUA version is not likely to differ. The FDIC's version of InTREx references all but 10 of the CAT baseline maturity statements as a reference for citing deficiencies.
We recommend you continue to complete the CAT on at least an annual basis, or more frequently if significant changes occur, so you can measure your cybersecurity preparedness over time. The documentation format of the CAT is likely up to you. Currently, we recommend you continue providing your questionnaire results in the ACET spreadsheet format with which your examiners are familiar. If you are using Tandem, there is an ACET spreadsheet export option. When completing the ACET, you do not need to complete the Document Request List portion, as that was specific to the examination process.
2. Be prepared for examiners to encourage you to map your program and controls to existing frameworks.
Credit unions continue to report their examiners are encouraging them to design their cybersecurity programs based on standards and risk assessments. There seems to be a continued emphasis by each of the federal banking agencies that financial institutions should adopt industry standards like NIST, ISO, COBIT, COSO, CIS, etc. to maintain appropriate security controls. When adopting outside standards, the inherent focus is on the controls instead of the exam procedures, which ensures a better program.
The NCUA's 2020 Supervisory Priorities mentioned "evaluating critical security controls," seeming to hint at a list of controls from a specific industry standard. In the 2021 Supervisory Priorities, more generic language was used, instead expressing the examination process will continue to focus on "remediating potential high-risk areas by identifying critical information security program deficiencies."
3. Be prepared to use a new document request list.
As the ACET document request list was specific to the examination tool, a new document request list will be available for use with the InTREx-CU examination program. The InTREx-CU document request list is not finalized, but continues to be improved and adjusted during the pilot process. The items are currently organized by section: Audit, Development & Acquisition, Management, and Support and Delivery. These sections align with the FDIC InTREx program section headings.
With the transition to the new examination program, it appears the NCUA wishes to simplify the document request list and reduce burden. While the ACET list was over 60 items, the InTREx-CU list has been said to be as low as 33 items. The most recent copy we reviewed included 44 items.
Additionally, if your credit union was part of the InTREx-CU pilot program, you may be familiar with several of the items asking you to "describe" documents instead of providing specific documentation. We have heard the InTREx-CU document request list was updated to ask for specific documents and no longer use generic language.
While the NCUA continues to pilot and modify InTREx-CU, you can expect you will not be sent a copy of the document request list until close to your exam time, as your examiner will want to give you the most recent version. If you are using Tandem and have already uploaded your files into the ACET document request list format, you may be able to refer to the ACET document number in response to the InTREx-CU item, as one of our customers has recommended to us.
4. Be prepared for a new focus on incident management.
One area that stands out when comparing the document request lists of ACET and a pilot version of InTREx-CU is a new focus on incident management. While ACET asked for results of testing, the InTREx-CU document request list appears to ask for the following items:
- Formally Approved Incident Response Plan
- Employee Training Program for Incident Response
- Accompanying Incident Response Procedures
- Results from the most recent cyber incident
- Results from the most recent incident response testing
If you are looking for a fast and effective way to build an Incident Response Plan and track incidents as they occur, see our newest Tandem addition: Incident Management.
Based on the National Institute of Standards and Technology (NIST) SP 800-61 Rev. 2, Computer Security Incident Handling Guide, Tandem Incident Management is designed to put your organization ahead of the curve and ensure you have a plan for managing incidents.
5. Be prepared to use a new web application for the exam process, MERIT.
MERIT and InTREx-CU may or may not begin official use at the same time, but eventually (likely sometime in 2021) they will be used together to perform your IT/cybersecurity exam. At this point, very little is known about the anticipated user experience for credit unions during their exams. According to the NCUA's MERIT FAQ webpage, the intention was to have "ways for credit unions to securely send documents and data files to examiners, retrieve examination reports, and respond to examination findings through MERIT." The NCUA will provide user guides and training materials to assist with the transition to MERIT when it goes live.
When should I expect to see changes to my exam?
Everything is still in "pilot" mode right now. Changes were originally expected by the end of 2020. Some NCUA representatives even said credit unions could be notified as early as October 2020. As of December 2020, no additional information regarding the InTREx-CU use has been published. A board memorandum from December 16, 2020 stated MERIT is scheduled for release in the third quarter of 2021 and the 2021 Supervisory Priorites expanded the estimated window by stating it will be in the "second half of 2021." Until that time, examiners are still piloting InTREx-CU and MERIT, separately. When the time for mass adoption finally does come, credit unions will receive a letter from the NCUA regarding what to expect.
How will this change Tandem's Cybersecurity software?
At Tandem, it is our goal to improve security while easing the burden of regulatory compliance, and we are honored to have so many credit unions contacting us for assistance in managing this transition from ACET to InTREx-CU. Here is what you can expect from Tandem's Cybersecurity software:
- We will continue to provide the ACET features as part of our Tandem Cybersecurity product, for those who would like to continue to use them. We will continue to offer the free and pro versions of the tool to help ensure our clients have an easy, efficient, and repeatable way to assess their cybersecurity risk and maturity. To learn more about Tandem Cybersecurity or to sign up for the free version, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.
- We will not integrate the InTREx-CU examination program into Tandem since it is an examination model which examiners will use in their own application.
- We may integrate the InTREx-CU document request list into Tandem, like the existing ACET document request list. Before committing to any long-term decisions, we are waiting for confirmation about if the new MERIT exam application will provide a similar solution for credit unions.
As both the InTREx-CU document request list and the MERIT application are still being tested and modified, no changes will be made to Tandem at this time. Once we have more information, Tandem leadership can determine if developing a tool to assist credit unions in preparing their InTREx-CU document request list would be beneficial to the end-user and if it should be part of future Tandem strategy. Until that point, if you receive information not covered in this article regarding changes to the examination program, feel free to let us know at firstname.lastname@example.org.
How would you summarize the important changes between the 2020 Supervisory Priorities and the 2021 Supervisory Priorities?
A confirmation that ACET is a self-assessment and InTREx-CU does not replace it.
When describing the change from ACET to InTREx-CU, instead of stating the NCUA has "transitioned its priority," the 2021 version reads, "reprioritized away from." This is an important clarification as the initial wording of "transition" raised a lot of questions about if InTREx-CU was a wholesale replacement for ACET. The 2021 version also states, "ACET will become a self-assessment resource for credit unions, supported by the NCUA." This is further clarification the ACET will remain in-use as a self-assessment.
Less emphasis on an industry standard mapping.
While the 2020 version references evaluation against a standard twice, the 2021 version does not. Instead, it says the examination process will continue to focus on "remediating potential high-risk areas by identifying critical information security program deficiencies."
- 02/02/2021 - Article updated to integrate 2021 Supervisory Priorities.