Rules of Behavior for External Users of NCUA Systems

The NCUA is responsible for protecting the privacy of individuals who interact with the agency, whether the information about individuals is in electronic or physical form. These Rules of Behavior address privacy and security obligations and specific computer security controls that must be followed when collecting, maintaining, using, or distributing agency information in electronic or physical form. These apply to anyone issued an NCUA device, accesses NCUA data, or uses an NCUA system.

External users of NCUA systems have a responsibility to protect government assets and NCUA proprietary information from loss, theft, and misuse. Users of the NCUA systems are responsible for ensuring that his or her activities do not circumvent NCUA information security controls or violate any rules described in this document. Any user having knowledge of or a reasonable suspicion that any individual is attempting to circumvent these rules or illegally gain access to an NCUA system must report the information immediately to the NCUA Technical Support Team (OneStop) at

Each user shall use the tools provided by the NCUA, including Partner Gateway systems (such as the secure file transfer portal, encrypted email options, and MERIT) to securely transfer sensitive, confidential, or personally identifiable electronic information.

1. Responsibilities

These Rules of Behavior apply to use of NCUA information (in both electronic and physical forms) and information systems by any external user. By accessing NCUA systems, users attest they have read and acknowledge their understanding, and agree to these terms. Since these rules cannot account for every possible situation, users shall use their best judgment and highest ethical standards to guide their actions. By agreeing to and acknowledging these rules, the user signifies understanding and acceptance of NCUA security requirements. The NCUA shall verify users who have or require access to NCUA information systems and associated data have read and accepted these Rules of Behavior. The NCUA reserves the right to disable accounts for security reasons until the issue is investigated and resolved.

2. Network/Internet Security

  • Do not attempt to gain unauthorized access to any computing system, circumvent data protection schemes, or uncover security loopholes. This includes creating or running programs that are designed to identify security loopholes or decrypt sensitive data sources.
  • Consider all information from the Internet as suspect until confirmed by separate information from another source.
  • Contacts made over the Internet should not be trusted with agency information unless a due diligence process and confirmation has first been performed.
  • Proprietary or private information must not be sent over the Internet unless it has first been encrypted for security purposes, such as secure messaging or secure file transfer portals.
  • Do not post non-public NCUA information on public websites.

3. Multifactor Authentication Security

  • Do not share your Multifactor Authentication Software or Soft Token passwords with anyone else.
  • Do not leave your Multifactor Authentication Software Client or Soft Token passwords unattended.
  • Immediately call your Technical Support Desk if you lose your phone with the Multifactor Authentication Software installed.

4. Personally Identifiable Information (PII)1

The NCUA defines PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information, that is linked or linkable to a specific individual.2 Examples of PII include:

  • Personal identification numbers (e.g., SSN, driver’s license number, credit card number);
  • Address information (e.g., street address or email address);
  • Telephone numbers;
  • Personal characteristics (e.g., fingerprints, photos, x-rays);
  • Information identifying personally owned property (e.g., vehicle registration, title number); and,
  • Information about an individual linked or linkable to the foregoing (e.g., date or place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).

Protecting PII

  1. You are responsible for protecting PII.
  2. Both electronic and physical records may contain PII and must be protected from unauthorized access and use.
  3. Managers are responsible for providing practical guidance to their employees in a job-related context, specifically identifying PII and its authorized collection, access, use, disclosure, storage, and destruction.
  4. Users are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.
  5. Users are responsible for reporting all suspected or confirmed breaches of PII from NCUA applications, systems, and solutions to the NCUA via email to upon discovery.

5. Enrollment and Identity Proofing

SSA and Credit Union NCUA Connect Administrators are responsible for verifying their user’s identity. Identity proofing ensures the applicant is who they claim. This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing including obtaining evidence that supports the real-world existence of the claimed identity and verifies the applicant is appropriately associated with this real-world identity3. For example, the identity proofing and enrollment processes will be performed according to an applicable written policy or practices that specifies the particular steps taken to verify identities.

  • Users are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.
  • SSA and Credit Union NCUA Connect Administrators are responsible for removing access or requesting access removal from NCUA for users who no longer need access to NCUA systems within four (4) hours after the close of business on the last day access is needed.

6. Terms of Use

NCUA provides access to U.S. Government Information systems for authorized use only. Use of these systems is monitored, recorded, and subject to audit. Access or use of NCUA systems constitutes a user’s understanding, acceptance, and consent to review, monitoring, and action by authorized government and law enforcement personnel. Unauthorized use such as attempts or action to (1) access, upload, change, or delete or deface information on a NCUA system; (2) modify a NCUA system; (3) deny access to this system; (4) accrue resources for unauthorized use; or (5) otherwise misuse an NCUA system is strictly prohibited and may result in criminal, civil, or administrative penalties. By accessing an NCUA system, you are agreeing to these terms of use. The NCUA applications made available may be provided by a third-party affiliate. When using a third-party application, the user may be subject to its terms and licenses.

Corrective action may be taken for failure to follow these Rules of Behavior including removal of access to NCUA applications. As with any disciplinary action, the particular facts and circumstances, including whether the incident was intentional, will be considered in taking appropriate corrective action.

The NCUA reserves the right to access and disclose the contents of official recorded messages without the consent of the user. The agency will do so when it believes there is a legitimate business need, including, but not limited to: investigating indications of misconduct or misuse, protecting health and safety, a need to locate substantive information required for agency business that is not more readily available in other ways, or to respond to a legal process requiring the agency to meet an obligation to a third party.

If you have any questions, please contact the NCUA Information System Security Officer at

Best Practices

The NCUA is providing the following best practices to inform you of considerations that can be implemented to mitigate security incidents.

1. Computer Password Creation Best Practices

  • Passwords should follow organizationally established password criteria.
  • Passwords should not contain your username or any part of your username.
  • You should not use any information easily obtainable when creating passwords such as your spouse’s or child’s name, license plate numbers, telephone numbers, social security numbers, name of the street, city or town where you live, etc.
  • Consider using passphrases. A passphrase is similar to a password in usage but is generally longer for added security. A passphrase should be:
    • Long enough to be hard to guess (e.g., automatically by a search program, as from a list of famous phrases).
    • Not a famous quotation from literature, holy books, etc.
    • Hard to guess by intuition -- even by someone who knows the user well.
    • Easy to remember and type accurately.
    • Consider adding a “space” after the phrase to be even more secure.

2. Computer Data Security Best Practices

  • Install updates in a timely manner.
  • Do not store IDs and passwords in plain text. If you must store passwords, use password protected files.
  • Never log onto your system while other individuals are able to see your keyboard.
  • Treat all credit union and examination data as sensitive and nonpublic.
  • Internal and external hard drives are all encrypted. If you must move sensitive data off these drives, take necessary precautions to protect this data.
  • Only store or transport sensitive data on approved storage devices. This includes devices such as smart phones, media players, and thumb drives.

3. Virus Prevention Best Practices

  • If you receive a message your computer has been infected and the virus could not be purged, please contact your Technical Support Desk.
  • Carefully read system alert messages and call your Technical Support Desk if you have questions concerning an alert or how to respond to an alert.
  • Quarantine your system if you discover that your system has been infected, immediately isolate it from other systems. Disconnect from the network and do not allow anyone to copy files from it to another system.
  • You may need to help your computer install security patches. Contact your Technical Support Desk for the appropriate procedures for system updates.

4. Email Best Practices

This section refers to messages including email, text messaging, voice messages and any other recorded official messages.

  • Never give out your email address to anyone that you do not know or trust.
  • Users should be aware that “attackers” can forge messages to appear as if messages originated from somewhere else, spreading false information and contributing to the release of sensitive proprietary data. If a message is suspect, its authenticity should be verified via telephone or fax.
  • Only open an email attachment if from a source you believe to be safe. Attachments received in an email message can infect your system.

5. Mobile Device Best Practices

  • Secure your mobile device when left unattended. If your mobile device is left in a vehicle, it should be hidden from view.
  • Contact your Technical Support Desk immediately if your mobile device is lost or stolen, no longer than 24 hours after being aware of the loss or theft.
  • Where possible, create a strong passcode required for access to your mobile device to prevent unauthorized users from gaining access to data.
  • Do not share your mobile device passcode or give access to the multifactor authentication client.


1 Additional information is found on the NCUA’s Privacy webpage here:

2 Office of Management and Budget Circular A-130

3 Additional guidance is provided in NIST Special Publication 800-63.

Last modified on