ALEXANDRIA, Va.– NCUA’s information security program was found effective overall, but auditors identified new weaknesses and lingering past issues that leave the agency exposed to potential cyber risks, according to a report prepared for the NCUA Office of Inspector General by the accounting firm Sikich.
The audit, conducted under the Federal Information Security Modernization Act of 2014, reviewed the agency’s compliance with federal cybersecurity requirements and practices between October 2024 and July 2025. Sikich assessed a sample of four systems from NCUA’s 62 managed and third-party information systems.
Auditors concluded that the NCUA achieved an overall maturity rating of Level 4: “Managed and Measurable,” which meets the standard for effectiveness under federal guidelines. Two of the agency’s cybersecurity function areas were rated at the highest level of “Optimized,” two were “Managed and Measurable,” and two were “Consistently Implemented.”
Several Advances Cited
The report credited the NCUA with several advances, including integrating cybersecurity risk into enterprise risk management, using advanced monitoring technologies to detect adverse events, evaluating supplier risks as part of continuous monitoring, implementing federal logging requirements, and testing contingency planning through deliberate system disruptions.
However, auditors identified five new weaknesses across cybersecurity governance, configuration management, identity and access management, and risk and asset management. These included the lack of an organizational cybersecurity profile, incomplete data inventories, inadequate monitoring of network equipment settings, delays in addressing workstation vulnerabilities, and inconsistent account management controls.
The OIG report also noted that the NCUA began fiscal 2025 with 17 outstanding recommendations from prior audits dating back to 2018. Fourteen of those were closed during the latest audit, but three remain open, along with one from a separate cybersecurity review affecting incident response.
10 Recommendations Made
Altogether, auditors issued 10 new recommendations to address control deficiencies. The report warned that the weaknesses, combined with unresolved prior recommendations, affect the agency’s ability to safeguard the confidentiality, integrity and availability of its information systems, potentially exposing them to unauthorized access, disclosure, disruption or destruction.
The report can be found here.
