Since 2017, we have experienced several changes in the NCUA IT examination process, from ACET, to InTREx-CU, to a new acronym, ISE. This article will tell you what you can expect in your 2023 exam and take you through a bit of the history of each acronym.

ACET

Frequently Asked Questions

  • Will the ACET be part of my 2023 NCUA exam?
    The 2023 Supervisory Priorities say, "The [ACET] works in coordination with and will prepare you for an Information Security Examination." In other words, the ACET is not the exam, but you will be asked about the same things, so it's wise to complete this self-assessment before your exam.

  • What changed in the 2022 ACET updates?
    There were no content changes to the ACET. The update only contained changes to the application's security and features.

Let's recap how we got to this point.

  • 2017. The NCUA created the "Automated Cybersecurity Examination Tool" (ACET) Excel Spreadsheet. It was an examination program built upon the contents of the FFIEC's Cybersecurity Assessment Tool (CAT). The ACET allowed the NCUA to "benchmark" the credit union industry's cybersecurity preparedness, as well as provide examiners with "a plain-language explanation and references for each of the statements." (Source)

  • 2018 – 2020. The ACET benchmarking process was completed. The ACET was officially suspended as an examination program in July 2020 when the NCUA announced it had "transitioned its priority from performing [ACET] cybersecurity maturity assessments, to evaluating critical security controls." (Source)

  • 2021. In collaboration with the Department of Homeland Security and the Idaho National Laboratory, the NCUA released the "Automated Cybersecurity Evaluation Toolbox" (ACET) desktop application. This version of the ACET is "completely voluntary and does not introduce any new requirements or expectations on credit unions." (Source)

  • 2022. In October, the NCUA released a new version of the "Automated Cybersecurity Evaluation Toolbox" (ACET) desktop application. "This new version 11.2.1.0 includes security updates and performance improvements. This version no longer requires the use of IIS Express, and SQL Server 2012 Express LocalDB, which is no longer supported." (Source)

  • 2023 – Present. While completing the ACET is voluntary, it continues to be a value-add for both credit unions and NCUA examiners. Credit unions can use the ACET to assess their level of cybersecurity preparedness and examiners can refer to the ACET's helpful mappings, plain-language explanations, and references. (Source)

How Tandem can help. Tandem Cybersecurity is a free web-based application based on the FFIEC's CAT and the NCUA's ACET. In addition to featuring all the ACET's content, Tandem includes several other features which make getting ready for an exam easy, including:

  • The ability to copy a previous assessment.
  • Trend analysis for year-to-year comparison.
  • Multi-user simultaneous access via a secure online portal.
  • Anonymous benchmarking with results from other credit unions.
  • Customizable reports and documents.

Sign up for a free account and get started with Tandem today.

InTREx-CU

Frequently Asked Questions

  • Will InTREx-CU be part of my 2023 exam?

No. The program you see in your upcoming exam will be influenced by InTREx-CU, but will not be called "InTREx-CU."

Let's recap how we got to this point.

  • 2020. As the NCUA changed course on the ACET, they also began "piloting the Information Technology Risk Examination for Credit Unions" (a.k.a., InTREx-CU). This proposed examination program was created to harmonize with the examination procedures used by the FDIC, Federal Reserve, and many state regulators. (Source)

  • August 2021. The NCUA remained optimistic about InTREx-CU, stating it was "continuing to integrate this tool into its cybersecurity reviews with the goal of deploying the tool systemwide in late 2022 or early 2023." (Source)

  • September 2021. In a webinar on September 8, 2021 over the "NCUA's Modernized Examination Tools," an NCUA representative stated InTREx-CU would not be a permanent examination solution and was only part of an "18-month pilot." (Source) InTREx-CU stopped being used by the end of 2021.

  • 2022 - Present. The NCUA has been using "the information collected during the InTREx-CU pilot to evolve its cybersecurity review tools." (Source)

ISE

Frequently Asked Questions

  • What WILL be in my 2023 IT exam?
    The Information Security Examination (ISE) is the latest iteration of the NCUA's IT exam program. The ISE work programs are the product of years of learning and evolution to make this exam less redundant and more appropriate based on size and complexity.

Let's recap how we got to this point.

  • January 2022. The NCUA used the exact wording Information Security Examination publicly for the first time, "The NCUA continues to develop updated information security examination procedures that are tailored to institutions of varying size and complexity. These procedures will continue to be piloted in 2022, with the goal of having them finalized in 2022." (Source)

  • June 2022. NCUA Chairman Todd M. Harper stated the ISE initiative "offers a measure of flexibility for credit unions of all asset sizes and complexity levels while providing examiners with standardized review steps that will facilitate advanced data collection and analysis." He also described the three levels that were being tested. (Source)

    • ISE Small Credit Union Examination Program (SCUEP) for credit unions <$50 million in assets. The SCUEP "focuses on compliance with Part 748 and 749 of NCUA's regulations."

    • ISE Core for credit unions >$50 million in assets. The Core builds on the SCUEP and is a "risk-focused examination." This program aligns with previous exam programs, but removes redundancy noted in InTREx-CU. Additionally, electronic banking is built into the "Authentication" section of the program instead of via standalone review. This change coincides with the FFIEC's publication of the Authentication and Access guidance, as well as the rescinding of the E-Banking booklet.

    • ISE Core Plus for credit unions which need "expanded reviews and deeper dives into specific operational areas and security controls."

  • 2023 - Present. According to the Supervisory Priorities, "the NCUA developed and tested updated Information Security Examination procedures. […] Examiners will use these new procedures in 2023." (Source)

Will Tandem be updated for the ISE?

It is our goal to improve security while easing the burden of regulatory compliance. We will continue to monitor feedback from credit unions about the ISE process to determine if there may be a way we can help in the future.

That said, as of the publication of this blog, it is our understanding that the ISE program will be handled in the NCUA's web-based examination platform, MERIT. MERIT offers credit unions a place to securely upload, track, and share examination documents. If you have not used MERIT before, you should receive communications from your examiner prior to your next exam. 

What's Next?

Keep an eye on the NCUA's website to learn more about their Information Security Examination and Cybersecurity Assessment Program, as well as other Cybersecurity Resources they make available.

To help you prepare for your next exam, check out Tandem. In addition to the free Tandem Cybersecurity product, Tandem offers a suite of tools designed to help you create the elements of your cybersecurity program which will be requested as part of the ISE program, including Risk Assessment, Policies, Vendor Management, Business Continuity Plan, Incident Management, and more.

If you liked this article and would like to stay in touch with other happenings in the world of cybersecurity and compliance, sign up for the Tandem Newsletter. This is a monthly resource filled with the latest articles and news, designed to help make your credit union more secure.