Audit Finds NCUA Information Security Program Effective, Recommends Improvements

An independent audit has concluded that the NCUA's information security program is generally effective, while also identifying areas for improvement.

According to a memorandum from the NCUA's Office of the Inspector General (OIG), an outside firm conducted the audit between October 1, 2024, and July 14, 2025. The review resulted in 10 new recommendations aimed at strengthening the agency's information security and privacy programs.

Key recommendations include:

• Documenting policies and procedures for developing and maintaining cybersecurity profiles that reflect the NCUA's mission, threat environment, and resources.
• Creating and maintaining current and target cybersecurity profiles, including a gap analysis to assess differences between the two.
• Updating and maintaining a comprehensive inventory of data and metadata in compliance with the Open Government Data Act and Office of Management and Budget (OMB) requirements by September 2026.
• Implementing baseline compliance monitoring for routers, switches, and firewalls on the agency's network.
• Strengthening processes to remediate workstation vulnerabilities within agency timelines, including monitoring devices that have been disconnected from the network for extended periods.

Acting Inspector General notes that NCUA management agreed with the findings and has outlined corrective actions to address the recommendations.

The full report can be reviewed here