1. Why Is the Enterprise Solution Modernization Program Important?
- Modernizing our technology will facilitate greater collaboration and exchange of information between credit unions, credit union service organizations, state supervisory authorities, and NCUA.
- Robust business intelligence tools and analytics will allow the NCUA to manage risks to the credit union system more proactively.
- A flexible technology architecture will be more adaptable to changes in the financial services environment, including changes in statutes and regulations, than the agency’s current systems.
- New systems will streamline processes and procedures, helping create a more effective, less burdensome examination process.
- New systems will enable a single access point for users to interact with the NCUA.
2. How Will the NCUA Get this Done?
- Buy vs. Build — An off-the-shelf technology solution will be selected where possible
- Engage & Collaborate — Stakeholders will be given opportunities to provide input
- Deploy Incrementally — Changes will be implemented in a disciplined and phased approach
3. When Will the Solution be Implemented?
Deployment of the ESM systems will occur in phases within a multi-year timeframe. We have a communications strategy and process to ensure all stakeholders are informed throughout the transition.
4. How Will the NCUA Manage the Complexity and Impacts of this Effort?
We have established a standard deployment process and organizational change management strategy, which includes:
- Gathering and validating inputs from impacted employees and stakeholders;
- Communicating status and impacts of the modernization throughout the transition; and
- Offering comprehensive training to all users.
5. Why Is the NCUA Considering Purchasing Commercial Off-the-Shelf Solutions vs. Building New Tools?
Although custom-built solutions offer unconstrained flexibility, the following summarizes the NCUA's reasoning for considering the purchase of a solution vs. building a solution:
- Cost — Custom built solutions are the most expensive alternative. An off-the-shelf solution has an established framework and technical foundation that can be configured for the NCUA needs.
- Expertise — Custom built solutions require a high-level of in house support and expertise to build, deploy, and maintain. As a small agency, the NCUA can leverage the experts of an off-the-shelf solution for technical support.
- Implementation Time — Custom developed solutions are risky and take longer to implement due to the time required to design, build, document, and test. The agile configuration approach of an off-the-shelf solution provides an opportunity to release functionality incrementally.
- Technological Updates — Off-the-shelf solutions provide regular software and security updates that can be deployed with minimal user interruption.
Based on our market research, a commercial off-the-shelf solution or set of solutions supports the strategic goals of achieving cost savings, reducing implementation time, and mitigating risk.
6. What is the Due Diligence Process for Selecting A Vendor?
The ESM Program Team's approach includes the following actions before selecting the next generation examination tools and support services:
- Extended Market Research — To understand the full range of solutions available across the market place;
- Benchmarking — To provide insight and lessons learned from other organizations with similar business models; and
- Contract Competition — To assess a broad range of solutions, including in-depth evaluations of each product, and implementation strategies.
7. What Are NCUA’s Information Security Requirements?
The NCUA exercises great care in protecting sensitive information such as personally identifiable information and its information systems. As a federal agency, the NCUA must comply with security standards for federal information and information systems. All systems operated by the NCUA must meet the minimum information security requirements established by the National Institute of Standards and Technology. In addition to NIST standards and guidelines, the NCUA is subject to federal statutes such as the Federal Information Security Modernization Act of 2014, the E- Government Act of 2002, the Privacy Act of 1974 and various OMB policies and guidance concerning federal information management, FISMA reporting, and privacy.
The NCUA uses administrative, technical, and physical controls, including but not limited to: assessment and authorization of information systems; proactive threat assessments and continuous monitoring; and annual general and role-based security training for employees and contractors.
The Office of the Inspector General conducts independent audits, investigations and other activities to verify the NCUA’s compliance with applicable standards, laws and regulations related to privacy and information security. The resulting reports are used to keep the NCUA Board and U.S. Congress informed of any deviation from these requirements.