credit unions & the ncua acet

What Credit Unions Need to Know About the NCUA ACET & its New Cybersecurity Standards

NCUA ACET & its New Cybersecurity Standards 

With Internet of Things (IoT) and Bring Your Own Device (BYOD) growing exponentially every year, financial institutions stand to see key benefits in facilities cost reduction and employee productivity. But credit union executives must also ask – what are the unseen risks of becoming more connected?

For example, the facilities department might implement online thermostats to remotely control HVAC systems, lighting, or time clocks. Employees might bring their own mobile devices to connect to the enterprise network, unaware their devices might be infected with malware or a virus, and unwillingly spreading laterally to the company. All these behaviors, while productive, can also put the institution at severe risk because it leaves a potential hole in the network – the ability for a bad actor to attack the unsecured Internet of Things devices that lack proper security or access controls, and/or mobile home devices (iPad, phones, etc.) of unaware employees.

The Shift to a New Examination Tool 

The NCUA issued a statement warning of increasing cybersecurity vulnerabilities for federally-insured credit unions and financial services market participants, including ransomware, malware and phishing attacks, identity theft, denial of service, ATM skimming, pandemic-themed attacks and supply chain attacks – the latter being a significant threat due to the multiple parties that must work together to deliver financial services to consumers.

The NCUA has recently moved to a new security examination tool called the Automated Cybersecurity Examination Tool (ACET). Previously in 2015, NCUA was using just the Cybersecurity Assessment Tool (CAT) to identify cyber threats and test their security readiness. The NCUA ACET is based on CAT, however it adds security control validation and includes an easy-to-read dashboard. According to a report from the NCUA, the purpose of the ACET was not to be a long-term examination program, but to “benchmark” credit unions, measuring the industry’s cybersecurity preparedness. 

Initially, the NCUA began reviewing credit unions with $1 billion or more in assets using the ACET, refining the tool throughout the process to ensure it could scale properly for smaller, less complex credit unions. 

What This Means for Credit Unions 

With the shift to the NCUA ACET, it is now necessary for credit unions to have certain controls in place in order to pass NCUA audits. Of the five domains laid out in the ACET, Domain 3 is perhaps the most critical when it comes to cybersecurity. Domain 3 tackles the necessary as it examines the necessary preventive, detective and corrective cybersecurity controls. 

ncua acet domainsIn the end, credit unions CIOs and CISOs have a responsibility to protect their members and their financial data. This year, as the security talent crisis grows, breaches get more complicated and IoT/BYOD device attacks get more severe, an easy to implement NAC solution should be on top of their list. 

Portnox CLEAR & the NCUA ACET

As the NCUA audits continue to expand, many credit unions struggle with finding an effective solution to meet Domain 3 controls within the ACET framework. 

Fortunately, Portnox CLEAR provides the network access control, endpoint awareness, risk and real-time remediation capabilities that either directly meet or highly contribute to many of the most difficult Domain 3 audit areas and requirements.  

Statement NumberDomain Assessment FactorComponentMaturity LevelCategory Declarative StatementPortnox ValueExplanation
1883: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselineSystems that are accessed from the Internet or by external parties are protected by firewalls or other similar devices. ContributesPortnox monitors on managed system if endpoint firewall is active. If not, Portnox can alert, deny access or automatically enable the firewall.
1893: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselineAll ports are monitored.MeetsPortnox Clear will monitor all ports for switches configured to work with Clear.
1903: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselineUp to date antivirus and anti-malware tools are used.MeetsPortnox verifies that the installed antivirus and anti-malware is up to date and can trigger an update as well
1923: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselinePorts, functions, protocols and services are prohibited if no longer needed for business purposes. ContributesPortnox can monitor the usage of services on desktops and servers and also prevent from using them (enforcing a policy)
1943: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselinePrograms that can override system, object, network, virtual machine, and application controls are restricted. MeetsWith Portnox you can monitor the installed and in use applications and prevent from uanuthorized programs to execute on the endpoint
1963: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementBaselineWireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.)MeetsPortnox performs the authentication to wireless networks, you can enforce on the portnox that certain SSID will use ONLY secure protocols
1993: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementEvolvingTechnical controls prevent unauthorized devices, including rogue wireless access devices and removable media, from connecting to the internal network(s).MeetsPortnox Clear provides network technical controls to prevent unauthorized devices including rogue wireless access devices and removable media from connecting to the internal network protected by Clear.
2013: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementEvolvingGuest wireless networks are fully segregated from the internal network(s). (*N/A if there are no wireless networks.)MeetsPortnox Clear supports guess wireless management and segmentation.
2053: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementIntermediate The enterprise network is segmented in multiple, separate trust/security zones with defense-in-depth strategies (e.g., logical network segmentation, hard backups, air-gapping) to mitigate attacks.MeetsPortnox Clear fully supports network segmentation (VLAN) and assures authorized devices are placed in the correct segment based on access control policy.
2063: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementIntermediate Security controls are used for remote access to all administrative consoles, including restricted virtual systems.Meets on some architecturesPortnox can be used to verify that only endpoints with the correct security controls can connected to remote consoles / virtual systems which are behind an RDP GW, VPN or similar gateway
2073: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementIntermediate Wireless network environments have perimeter firewalls that are implemented and configured to restrict unauthorized traffic. (*N/A if there are no wireless networks.)ContributesPortnox Clear can control and assure that only authorized devices are able to connect to specific AP/SSID(s). Portnox Clear can manage guest WiFi
2083: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementIntermediate Wireless networks use strong encryption with encryption keys that are changed frequently. (*N/A if there are no wireless networks.)Contributes
2133: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementAdvancedAnti-spoofing measures are in place to detect and block forged source IP addresses from entering the network.ContributesPortnox Clear can control and assure that only authorized devices are able to connect to specific AP/SSID(s) -- supporting certificate and/or company credential authentication.
2143: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementInnovativeThe institution risk scores all of its infrastructure assets and updates in real time based on threats, vulnerabilities, or operational changes.ContributesPortnox Clear is aware of endpoint risk. Portnox Clear can block or alert based on associated policy/risk score assesment. Portnox Clear can block devices from network access it reach a block level of risk.
2153: Cybersecurity Controls1: Preventative Controls1: Infrastructure ManagementInnovativeAutomated controls are put in place based on risk scores to infrastructure assets, including automatically disconnecting affected assets.MeetsPortnox Clear support risk based (risk score) access controls. Devices first connecting to the network must both authenticate and also be at an acceptable risk level.
2183: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineEmployee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege. ContributesPortnox Clear can control network access and segmentation based on associated group policy.
2193: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineEmployee access to systems and confidential data provides for separation of duties. ContributesPortnox Clear can control network access and segmentation based on associated group policy.
2203: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineElevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger password controls). ContributesPortnox can monitor who had administrative privlidges on local systems and alert on changes
2233: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineIdentification and authentication are required and managed for access to systems, applications, and hardware. ContributesPortnox Clear can control network access and segmentation based on associated group policy.
2273: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineProduction and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) ContributesPortnox manages the segementation of systems between environment - thus creating the basis for segregation between production and non-produiction systems.
2293: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineAll passwords are encrypted in storage and in transit. ComplyPortnox own passwords and usage of passwords comply with that requirment.
2303: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineConfidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). ContributesAll communication with Portnox Clear is TLS encrypted.
2313: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineMobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) MeetsPortnox Clear provides real-time endpoint compliance validation against a defined policy. The risk policy can include validation that endpoint encryption is enabled and if not, alerts can be generated and device access can be limited or restricted.
2323: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineRemote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. MeetsPortnox Clear can elevate existing remote access with zero-trust. Full remote endpoint risk awareness, real-time remmediation to help assure remote end points stay compliant and 2FA for remote connecting devices.
2333: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementBaselineAdministrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. MeetsUnauthorized aoftware are notified immidiatly when they are installed and thus actions can be taken to uninstall them
2413: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementIntermediateThe institution has implemented tools to prevent unauthorized access to or exfiltration of confidential data.ContributesPortnox Clear supports endpoint risk and remmediation policies that can assure removable storage is not connected to company issues devices.
2443: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementIntermediateAll physical and logical access is removed immediately upon notification of involuntary termination and within 24 hours of an employee’s voluntary departure.ContributesIntegration with Directory Services. Changes propergate to Clear
2453: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementIntermediateMultifactor authentication and/or layered controls have been implemented to secure all third-party access to the institution's network and/or systems and applications.MeetsAbility to place contractors on specific network segment/VLAN.
2483: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementIntermediateControls are in place to prevent unauthorized access to collaborative computing devices and applications (e.g., networked white boards, cameras, microphones, online applications such as instant messaging and document sharing). (* N/A if collaborative computing devices are not used.)ContributesPortnox Clear supports endpoint risk and remmediation policies that can assure only authorized USB devices are connected to company issued endpoints.
2513: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementInnovativeAdaptive access controls de-provision or isolate an employee, third-party, or customer credentials to minimize potential damage if malicious behavior is suspected.MeetsPolicy based dynamic VLAN assignment.
2543: Cybersecurity Controls1: Preventative Controls2: Access and Data ManagementInnovativeThe institution is leading efforts to create new technologies and processes for managing customer, employee, and third-party authentication and access.ContributesPortnox Clear provides network access controls that can support employee, customer and third-party access requirements.
2563: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityBaselineControls are in place to restrict the use of removable media to authorized personnel. MeetsGroup level policy controls to allow only authorized USB devices.
2573: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingTools automatically block attempted access from unpatched employee and third-party devices.MeetsRisk based access controls includes OS patch validation.
2583: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingTools automatically block attempted access by unregistered devices to internal networks.MeetsOnly authorized, authenticated and risk compliant devices can get network access. Others access denied.
2593: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingThe institution has controls to prevent the unauthorized addition of new connections.MeetsPortnox assures only authorized valid devices are able to access the network. Unauthorized devices are denied access or moved to a guest or other VLAN based on policy.
2603: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingControls are in place to prevent unauthorized individuals from copying confidential data to removable media.MeetsGroup level policy controls to allow only authorized USB devices.
2613: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingAntivirus and anti-malware tools are deployed on end-point devices (e.g., workstations, laptops, and mobile devices).ContributesRisk and remmediation policy can assure AV us deployed, running and updated.
2633: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityEvolvingThe institution wipes data remotely on mobile devices when a device is missing or stolen. (*N/A if mobile devices are not used.)MeetsPortnox has options to remote wipe mobile devices.
2653: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityIntermediateMobile device management includes integrity scanning (e.g., jailbreak/rooted detection). (*N/A if mobile devices are not used.)MeetsPortnox mobile risk validation includes check if jailbroken/rooted.
2673: Cybersecurity Controls1: Preventative Controls3: Device / End-Point SecurityAdvancedEmployees’ and third parties’ devices (including mobile) without the latest security patches are quarantined and patched before the device is granted access to the network.ContributesPortnox risk policy can check patch status and either block or place in quarantine VLAN.
2843: Cybersecurity Controls2: Detective Controls1: Threat and Vulnerability DetectionBaselineAntivirus and anti-malware tools are used to detect attacks. ContributesPortnox risk policy checks continiously the existence of those tools on the endpoints
2893: Cybersecurity Controls2: Detective Controls1: Threat and Vulnerability DetectionEvolvingAntivirus and anti-malware tools are updated automatically.MeetsPortnox risk policy checks continiously the configuration and the automatic update of those toold on the endpoints. It can also remidiate issues with that configuration automatically.
3073: Cybersecurity Controls2: Detective Controls2: Anomalous Activity DetectionEvolvingLogs provide traceability for all system access by individual users.ContributesPortnox provides logs associate with all authorized network access as well as alerts/logs of unauthoirzed access attempts.
3173: Cybersecurity Controls2: Detective Controls2: Anomalous Activity DetectionAdvancedA system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities.ContributesPortnox Clear awareness of network access, users/devices, etc. can contribute to meeting this requirement.
3203: Cybersecurity Controls2: Detective Controls2: Anomalous Activity DetectionInnovativeThe institution has a mechanism for real-time automated risk scoring of threats.ContributesPortnox Clear support risk/compliance awareness of company employee
3213: Cybersecurity Controls2: Detective Controls2: Anomalous Activity DetectionInnovativeThe institution is developing new technologies that will detect potential insider threats and block activity in real time.ContributesPortnox Clear allows only authorized compliant devices on to the network/network segment based on policy.
3233: Cybersecurity Controls2: Detective Controls3: Event DetectionBaselineMechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. ContributesPortnox Clear provides alertson all network access (allowed or denied) and can integrate with existing SIEM.
3243: Cybersecurity Controls2: Detective Controls3: Event DetectionBaselineProcesses are in place to monitor for the presence of unauthorized users, devices, connections, and software. MeetsPortnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.).
3263: Cybersecurity Controls2: Detective Controls3: Event DetectionBaselineThe physical environment is monitored to detect potential unauthorized access. MeetsPortnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.).
3273: Cybersecurity Controls2: Detective Controls3: Event DetectionEvolvingA process is in place to correlate event information from multiple sources (e.g., network, application, or firewall).ContributesPortnox Clear provides alertson all network access (allowed or denied) and can integrate with existing SIEM.
3293: Cybersecurity Controls2: Detective Controls3: Event DetectionIntermediateEvent detection processes are proven reliable.Contributes
3303: Cybersecurity Controls2: Detective Controls3: Event DetectionIntermediateSpecialized security monitoring is used for critical assets throughout the infrastructure.ContributesPortnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.).
3313: Cybersecurity Controls2: Detective Controls3: Event DetectionAdvancedAutomated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices.ContributesPortnox Clear support real-time endpoint remmediation helping to assure enduser devices stay in a compliant state (make sure FW is running, AV, etc.).
3323: Cybersecurity Controls2: Detective Controls3: Event DetectionAdvancedReal-time network monitoring and detection is implemented and incorporates sector-wide event information.MeetsPortnox Clear is aware of any/all devices connecting to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.).
3333: Cybersecurity Controls2: Detective Controls3: Event DetectionAdvancedReal-time alerts are automatically sent when unauthorized software, hardware, or changes occur.ContributesPortnox Clear support real-time endpoint remmediation helping to assure enduser devices stay in a compliant state (make sure FW is running, AV, etc.). Alerts to any changes and resulting remmediation actions are logged.
3353: Cybersecurity Controls2: Detective Controls3: Event DetectionInnovativeThe institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur.ContributesPortnox Clear is aware of any/all devices connecting to the network. Only authorized, compliant devices are allowed on to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.). All access and related risk issues are audited in real-time.
3363: Cybersecurity Controls2: Detective Controls3: Event DetectionInnovativeThe institution is leading the development effort to design new technologies that will detect potential insider threats and block activity in real time.ContributesPortnox Clear is aware of any/all devices connecting to the network. Only authorized, compliant devices are allowed on to the network. Unauthorized devices can be blocked or moved to a specified segment (i.e. internet only, etc.).
3413: Cybersecurity Controls3: Corrective Controls1: Patch ManagementEvolvingSystems are configured to retrieve patches automatically.MeetsPortnox CLEAR can verify that the system is configured to fetch patches and remidiate it if not