In January 2021, the National Credit Union Administration (NCUA) published their 2021 Supervisory Priorities which stated, "The agency has reprioritized away from performing facilitated Automated Cybersecurity Evaluation Toolbox cybersecurity maturity assessments, to piloting the Information Technology Risk Examination for Credit Unions (InTREx-CU). […] ACET will become a self-assessment resource for credit unions, supported by the NCUA."
In October 2021, the NCUA hosted a webinar demonstrating how to use their ACET desktop application. During the Question-and-Answer portion of the presentation, the audience asked about InTREx-CU and what to expect in coming exams. Responses to those questions have been integrated into the questions below.
Note: A recording of the webinar is expected to be available on the NCUA site by late November.
Because Tandem has created features in our Cybersecurity product to help credit unions be prepared for their ACET exams, the Tandem team has received several questions regarding InTREx-CU and how it will be addressed in Tandem. Here's what we know.
How is InTREx-CU different from ACET?
The acronym "ACET," was first used to represent "Automated Cybersecurity Examination Tool," an NCUA exam program built on top of the FFIEC's Cybersecurity Assessment Tool (CAT). The CAT is designed for banks and credit unions to self-assess their cybersecurity preparedness outside of the examination process. According to a report from the NCUA, the purpose of the ACET exam spreadsheet was built to "benchmark" the credit union industry's cybersecurity preparedness. The process was completed between 2018 and 2020.
For a simplified visual, check out the image below. The ACET exam spreadsheet includes:
- The CAT "questions" (green tabs)
- Tools for the examiner's use (yellow tabs)
- The examination document request list (red tab)
This combination of tabs and features is why we say "ACET is an exam tool built on top of the FFIEC's Cybersecurity Assessment Tool." The Automated Cybersecurity Examination Tool as an exam tool was suspended in July 2020.
In 2020, the NCUA collaborated with the Department of Homeland Security and the Idaho National Laboratory to create a desktop application designed to help credit unions complete the CAT. They refer to this application as the Automated Cybersecurity Evaluation Toolbox (ACET). While the acronym remains the same, the name changed from "Examination Tool" to "Evaluation Toolbox," and the document request list was removed. While the ACET will no longer be the backbone, the NCUA website continues to list it as a component of their information security examination program.
InTREx-CU (Information Technology Risk Examination for Credit Unions) is a new proposed examination model, similar to the NCUA's exam procedures based on 12 CFR Part 748, but with a heightened focus on critical security controls. InTREx-CU does not include CAT/ACET as part of the work program or document request list. Credit unions examined with InTREx-CU will be expected to complete the new document request list, which currently includes 33 items.
Will I see InTREx-CU in my 2022 exam?
It seems unlikely. According to Ernest Chambers Junior's comments from the recent ACET webinar, InTREx-CU was an 18-month pilot program designed to help the NCUA learn how to improve their IT exam program. They are now working to make improvements to the existing examination program (12 CFR Part 748) and plan to rollout the new and improved exam version in September 2022. InTREx-CU has only been performed by Regional Information Security Officers (RISOs).
- For the majority of credit unions whose next IT exam will not be performed by a RISO, you can expect to be examined with the traditional exam program based on 12 CFR Part 748, not InTREx-CU or ACET. However, after September 2022, there will be a new exam that has yet to be completed and released to the public.
- For credit unions who will have an RISO perform the next IT exam, you might see the pilot version of InTREx-CU. RISOs primarily work with the largest credit unions in the industry. However, after September 2022, there will be a new exam that has yet to be completed and released to the public.
InTREx-CU highlighted incident management, specifically requesting "the formally approved Incident Response Plan, employee training program, accompanying procedures, results from the most recent cyber incident and results of incident response testing." We expect this focus on incident managment to be included in the 2022 changes to the IT examination program. If you are looking for a fast and effective way to build an Incident Response Plan and track incidents as they occur, see our newest Tandem addition: Incident Management.
Will I be expected to keep doing the CAT/ACET?
Yes, and no. Expected, but not required.
The NCUA's 2021 Supervisory Priorities indicate they will continue to support the ACET (a.k.a., CAT) as a self-assessment resource, helping credit unions continue to assess their cybersecurity risk and maturity outside of the NCUA's examination process. "Continue to support" indicates the NCUA believes ACET/CAT is a valuable self-assessment tool and that credit unions will benefit from its continued use.
While the NCUA will "continue to support" the tool, credit unions will not see an item on their examination document request list for ACET/CAT, as of date. However, we have heard from individual examiners who believe credit unions should and will continue to update their cybersecurity self-assessments.
Does Tandem recommend I keep completing the CAT?
Yes, we continue to encourage completion of the CAT annually, or more frequently if significant changes occur, to measure your cybersecurity maturity over time. Performing the CAT self-assessment remains beneficial for several reasons:
- It is aligned with the FFIEC IT Examination Handbook, the NIST Cybersecurity Framework, and industry-accepted cybersecurity practices.
- It offers a way for financial institutions to review their own cybersecurity posture without an auditor or examiner.
- It provides a way to demonstrate current and potential cybersecurity maturity to senior management.
- It allows you to compare your current cybersecurity posture against the past or to other institutions, if using a product like Tandem.
How can I complete the CAT?
At Tandem, we are pleased to offer our clients an easy, efficient, and repeatable way to assess cybersecurity risk and maturity using the CAT question and answers. To learn more about Tandem Cybersecurity or to sign up for the free version of the tool, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC. Tandem offers helpful and valuable features, such as the ability to allow multi-user access and compare results with similar institutions, which can be used to justify and request investments in cybersecurity from the board.
While the NCUA now provides the ACET (a desktop application for completing the CAT), the application does not include many of the in-demand features provided by Tandem, such as:
- The ability to copy a previous assessment.
- Trend analysis for year-to-year comparison.
- Multi-user simultaneous access via a secure online portal.
- Anonymous peer analysis of results from other credit unions.
- Customizable downloads and reports.
Can we expect any ACET or InTREx-CU changes to Tandem's Cybersecurity software?
The NCUA has begun using MERIT (Modern Examination and Risk Identification Tool) to conduct exams starting in August 2021. MERIT is a new web-based examination platform, designed to replace the NCUA's legacy platform, ARIES. As such, we do not plan to integrate the InTREx-CU document request list into Tandem because doing so would not save our customers any time or effort in the examination process. Additionally, the pilot of InTREx-CU will end no later than August 2022.
As NCUA examiners still expect (but do not require) that credit unions will continue to complete the CAT self-assessment portions of the ACET, Tandem will continue to offer the free and pro versions of our tool to help ensure our clients have an easy, efficient, and repeatable way to assess their cybersecurity risk and maturity.
Since ACET has been suspended as an examination model, users will not need to use the Document Request List section of Tandem Cybersecurity. We do not have plans to remove the Document Request List section at this time, as users likely have historical files and notes they would like to keep. An element of the ACET features we believe is important to retain is the ACET commentary for every inherent risk and maturity statement. The NCUA commentary continues to provide value in helping readers understand the context of each statement and we find credit unions and banks alike have found these resources valuable.
To learn more about Tandem Cybersecurity or to sign up for the free version, visit Tandem.App/Cybersecurity-Assessment-Tool-FFIEC.
For reference, below are excerpts from the NCUA Supervisory Priorities letters around the topics of CAT, ACET, and InTREx-CU from 2015-2021.
Credit unions, like all financial institutions, remain vulnerable to internal and external cybersecurity threats. Last year's interagency cybersecurity assessment conducted through the Federal Financial Institutions Examination Council (FFIEC) found that many credit unions and banks are not taking basic cybersecurity actions.
In June 2015, NCUA released a Cybersecurity Assessment Tool jointly with the other member agencies of the Federal Financial Institutions Examination Council (FFIEC). The tool provides a structured methodology for credit unions to manage information security and protect member information more effectively.
The tool is designed to enhance cybersecurity oversight and management capabilities, and to identify any gaps in an institution's risk-management practices Credit unions can use this tool to enhance their cybersecurity preparedness.
NCUA encourages all credit unions to use the FFIEC tool to manage cybersecurity risks. NCUA also plans to begin incorporating the Cybersecurity Assessment Tool into our examination process in the second half of 2016.
Cybersecurity remains a key supervisory focus. NCUA will continue to carefully evaluate credit unions' cybersecurity risk management practices. We encourage credit unions to use the Cybersecurity Assessment Tool to bolster their security and risk management processes. This tool was issued jointly with the other member agencies of the Federal Financial Institutions Examination Council.
NCUA plans to increase our emphasis on cybersecurity by enhancing the examination focus with a structured assessment process. We anticipate completing this process by late 2017, and will keep credit union system stakeholders informed as changes occur.
Cybersecurity remains a key supervisory focus. In 2018, the NCUA will begin implementing the Automated Cybersecurity Examination Tool (ACET) to improve and standardize supervision related to cybersecurity. The ACET provides the NCUA with a repeatable, measurable and transparent process for assessing the level of cyber preparedness across federally insured institutions.
The ACET incorporates appropriate standards and practices established for financial institutions. It also aligns with the Cybersecurity Assessment Tool developed by the FFIEC for voluntary use by banks and credit unions. Therefore, we encourage credit unions to continue to self-assess their cybersecurity and risk management practices using the Cybersecurity Assessment Tool if they do not have an alternative method of assessment.
The NCUA will begin using the ACET in examinations of larger credit unions with over $1 billion in assets. This will allow the NCUA to create a baseline for the cybersecurity maturity level of the largest and most complex institutions, while we continue to test and refine the ACET through 2018 to ensure it scales properly for smaller, less complex institutions.
Examiners will continue conducting information security maturity assessments with the Automated Cybersecurity Examination Toolbox (ACET). Examiners will use the ACET to assess credit unions with over $250 million in assets that have not previously received an assessment. The security, confidentiality, and integrity of credit union member information remains a key supervisory priority for the NCUA.
In 2018, the NCUA began using the Automated Cybersecurity Examination Tool (ACET) to assess credit unions' cybersecurity maturity. The NCUA collaborated with the Department of Homeland Security and the Idaho National Laboratory to create an updated client/server version of the ACET that is being fully deployed in 2020. Credit unions will be able to complete self- assessments through access to the new ACET on NCUA's website in early 2020.
Starting in 2022, the agency will refresh the maturity assessments following the same asset size schedule discussed above, resulting in a refresh cycle of once every four years.
In addition to the ACET, the NCUA will be piloting new procedures in 2020 to evaluate critical security controls during examinations between maturity assessments. The critical security controls reviews will be scaled to the size and risk profile of the institution.
The NCUA has transitioned its priority from performing Automated Cybersecurity Examination Tool (ACET) cybersecurity maturity assessments, to evaluating critical security controls. The NCUA is also piloting an Information Technology Risk Examination solution for Credit Unions (InTREx-CU). InTREx-CU harmonizes the IT and Cybersecurity examination procedures shared by the Federal Deposit Insurance Corporation, the Federal Reserve System, and some state financial regulators to ensure consistent approaches are applied to community financial institutions. The InTREx-CU will be deployed to identify gaps in security safeguards, allowing examiners and credit unions to identify and remediate potential high-risk areas through the identification of critical information security program deficiencies as represented by an array of critical security controls and practices.
As cited in the NCUA's updated supervisory priorities for 2020, the agency has reprioritized away from performing facilitated Automated Cybersecurity Evaluation Toolbox (ACET) cybersecurity maturity assessments, to piloting the Information Technology Risk Examination for Credit Unions (InTREx-CU). InTREx-CU harmonizes the IT and cybersecurity examination procedures shared by the Federal Deposit Insurance Corporation, the Federal Reserve System, and many state financial regulators. This establishes a consistent approach across all community-based financial institutions. The InTREx-CU will continue to be deployed in 2021, allowing examiners and credit unions to identify and remediate potential high-risk areas by identifying critical information security program deficiencies. ACET will become a self-assessment resource for credit unions, supported by the NCUA.
An NCUA representative told webinar attendees in October 2021 that InTREx-CU will not be a permanent examination solution. Instead, results from InTREx-CU exams will be used to improve the existing examination program. The updated exam program will be used starting in September 2022.
Updates to this blog:
11/3/2021 - Updates based on commentary from officials in a webinar hosted by the NCUA in October 2021.