NCUA External User Rules of Behavior

The NCUA is responsible for protecting the privacy of individuals who interact with the agency, whether the information about individuals is in electronic or physical form.  These Rules of Behavior address privacy and security obligations and specific computer security controls that must be followed when collecting, maintaining, using, or distributing agency information in electronic or physical form.  These apply to anyone issued an NCUA device, accesses NCUA data, or uses an NCUA system.

External users of NCUA systems have a responsibility to protect government assets and NCUA proprietary information from loss, theft, and misuse.  Users of the NCUA systems are responsible for ensuring that his or her activities do not circumvent NCUA information security controls or violate any rules described in this document.  Any user having knowledge of or a reasonable suspicion that any individual is attempting to circumvent these rules or illegally gain access to an NCUA system must report the information immediately to OneStop at OneStop@ncua.gov.

Each user shall use the tools provided by the NCUA, including the secure file transfer portal (known as “Partner Gateway”), encrypted email options, and MERIT to securely transfer sensitive, confidential, or personally identifiable electronic information.

1. Responsibilities

These Rules of Behavior apply to local, network, and remote use of NCUA information (in both electronic and physical forms) and information systems by any individual.  By accessing NCUA systems, users attest they have read and acknowledge their understanding, and agree to these terms.  Since these rules cannot account for every possible situation, users shall use their best judgment and highest ethical standards to guide their actions.  By agreeing to and acknowledging these rules, the user signifies understanding and acceptance of NCUA security requirements.  The NCUA shall verify users who have or require access to NCUA information systems and associated data have read and accepted these Rules of Behavior. NCUA reserves the right to disable accounts for security reasons until the issue is investigated and resolved.

2. Network/Internet Security

  • Do not physically plug your personally owned computing devices into the NCUA network at any of the NCUA offices. This includes personally owned computers, wireless routers and wireless access points.
  • Do not attempt to gain unauthorized access to any computing system, or circumvent data protection schemes or uncover security loopholes. This includes creating or running programs that are designed to identify security loopholes or decrypt sensitive data sources.
  • Consider all information from the Internet as suspect until confirmed by separate information from another source.
  • Contacts made over the Internet should not be trusted with agency information unless a due diligence process and confirmation has first been performed.
  • Proprietary or private information must not be sent over the Internet unless it has first been encrypted for security purposes.
  • Do not post non-public NCUA information on public websites.
  • Do not attempt to view, download, store, transmit or copy any material or communication that is or is related to:
    • Sexually explicit or oriented;
    • Gambling;
    • Illegal weapons;
    • Terrorist activities;
    • Illegal or otherwise prohibited;
    • Offensive to co-workers; and/or
    • An embarrassment to NCUA.

3. Computer Password Creation Guidelines

  • Passwords must follow organizationally established password criteria.
  • Passwords may not contain your user name or any part of your user name.
  • You should not use any information easily obtainable when creating passwords such as your spouse’s or child’s name, license plate numbers, telephone numbers, social security numbers, name of the street, city or town where you live, etc.
    • Consider using passphrases. A passphrase is similar to a password in usage, but is generally longer for added security. A passphrase should be:
    • Long enough to be hard to guess (e.g., automatically by a search program, as from a list of famous phrases);
    • Not a famous quotation from literature, holy books, etc.;
    • Hard to guess by intuition -- even by someone who knows the user well;
    • Easy to remember and type accurately;
    • Consider adding a “space” after the phrase to be even more secure.

4. Computer Data Security Best Practices

  • Install updates in a timely manner.
  • Do not store IDs and passwords in plain text. If you must store passwords, use password protected files.
  • Never log onto your system while other individuals are able to see your keyboard.
  • Treat all credit union and examination data as sensitive and nonpublic.
  • Your internal and external hard drives, as well as the NCUA thumb drive, are all encrypted. If you must move sensitive data off these drives, take necessary precautions to protect this data.
  • Do not store or transport sensitive data on non-approved storage devices. This includes devices such as smart phones, media players and non-NCUA issued thumb drives.

5. Virus Prevention Best Practices

  • If you receive a message your computer has been infected and the virus could not be purged, please contact your Technical Support Desk.
  • Carefully read alerts from your firewall.  Call your Technical Support Desk if you have questions concerning an alert or how to respond to an alert.
  • Quarantine your system if you discover that your system has been infected, immediately isolate it from other systems.  Disconnect from the network and do not allow anyone to copy files from it to another system.
  • You may need to help your computer install security patches.  Ensure to contact your Technical Support Desk for the appropriate procedures for patch updates.

6. Multifactor Authentication Security

  • Do not share your Multifactor Authentication Software, or Soft Token passwords with anyone else.
  • Do not leave your Multifactor Authentication Software Client or Soft Token passwords unattended.
  • Immediately call your Technical Support Desk if you lose your phone with the Multifactor Authentication Software installed.

7. Email Best Practices

This section refers to all official NCUA messages including email, text messaging, voice messages and any other recorded official messages.

  • Never give out your e-mail address to anyone that you do not know or trust. This includes web sites asking for your personal information as addresses are often used for advertising, or sold to spamming organizations.
  • Be careful with personal information. Remember that once a message is sent, you cannot control who will ultimately read it. If you are quoted out of context, this could lead to embarrassment to the agency.
  • Nonpublic and sensitive information should not be included in an e-mail or text message.
  • View messages only if you know the sender.
  • Users should be aware that “attackers” can forge messages to appear as if messages originated from somewhere else, spreading false information and contributing to the release of sensitive proprietary data. If a message is suspect, its authenticity should be verified via telephone or fax.
  • Only open an email attachment if you previously arranged for it to be sent to you from a source you believe to be safe. Attachments received in an e-mail message can infect your system.
  • Users are prohibited from sending sensitive, nonpublic or proprietary information to unauthorized persons or organizations.
  • The following items are not permitted:
    • Using electronic mail for unlawful activities, commercial purposes or personal financial gain.
    • Sending documents in violation of copyright laws.
    • “Spoofing” i.e., constructing an e-mail message so it appears to be from someone else.
    • “Snooping” i.e. accessing the files or e-mails of others for the purpose of satisfying idle curiosity, with no substantial business purpose.
    • Attempting to breach security or to intercept e-mail transmissions without authorization.
    • Sending chain letters, floods, and/or junk mail.
    • Use of mail to harass, intimidate or otherwise annoy another person, such as broadcasting unsolicited messages or sending unwanted mail.
  • Do not attempt to view, download, store, transmit or copy any material or communication that is or is related to:
    • Sexually explicit or oriented;
    • Gambling;
    • Illegal weapons;
    • Terrorist activities;
    • Illegal or otherwise prohibited;
    • Offensive to co-workers; and/or
    • An embarrassment to NCUA.
  • Messages no longer needed for agency purposes should be periodically purged consistent with records retention requirements.
  • NCUA reserves the right to access and disclose the contents of official recorded messages without the consent of the user. The agency will do so when it believes there is a legitimate business need, including, but not limited to: investigating indications of misconduct or misuse, protecting health and safety, a need to locate substantive information required for agency business that is not more readily available in other ways, or to respond to a legal process requiring the agency to meet an obligation to a third party.

8. iPhone/Mobile Device Best Practices

You are responsible for the safekeeping and security of your mobile device with the multifactor client installed.

  • Secure your mobile device when left unattended. If your mobile device is left in a vehicle, it should be hidden from view.
  • Contact your IT support Help Desk immediately if your mobile device is lost or stolen, no longer than 24 hours after being aware of the loss or theft.
  • Where possible, create a strong passcode required for access to your mobile device to prevent unauthorized users from gaining access to data.
  • Carefully research any personal use applications before download to reduce the risk of a security breach, and use social media applications with caution.
  • Uninstall the NCUA multifactor authentication client if you no longer have a need to access the NCUA applications.
  • Do not share your mobile device passcode or give access to the multifactor authentication client.

9. Personally Identifiable Information (PII)

  • PII is any information, or combination of information, that can be used to determine an individual’s identity.
  • Examples of PII include:
    • Personal identification numbers (e.g., SSN, driver’s license number, credit card number);
    • Address information (e.g., street address or e-mail address);
    • Telephone numbers;
    • Personal characteristics (e.g., fingerprints, photos, x-rays);
    • Information identifying personally owned property (e.g., vehicle registration, title number); and,
    • Information about an individual linked or linkable to the foregoing (e.g., date or place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).

Protecting PII

  • You are responsible for protecting PII.  NCUA will hold users accountable for safeguarding PII.
  • Both electronic and physical records may contain PII and must be protected from unauthorized access and use.
  • Managers are responsible for providing practical guidance to their employees in a job-related context, specifically identifying PII and its authorized collection, access, use, disclosure, storage, and destruction.
  • Users are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.

10. Enrollment and Identity Proofing

  • SSA and Credit Union NCUA Connect Administrators are responsible for verifying their user’s identity.  Identity proofing ensures the applicant is who they claim.  This includes presentation, validation, and verification of the minimum attributes necessary to accomplish identity proofing including obtaining evidence that supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity1.  For example,
  • The identity proofing and enrollment processes will be performed according to an applicable written policy or practices that specifies the particular steps taken to verify identities.
  • Users are responsible for adhering to administrative, technical, and physical safeguards to ensure only authorized persons have access to records and information that is used and disclosed only as authorized.
  • SSA and Credit Union NCUA Connect Administrators are responsible for removing access or requesting access removal from NCUA for users who no longer need access to NCUA systems within four (4) hours after the close of business on the last day access is needed.

11. Disciplinary Action

Corrective action may be taken for failure to follow these Rules of Behavior.  In addition to any civil or criminal penalties that may be imposed, applicable consequences include a removal of access to NCUA applications.  As with any disciplinary action, the particular facts and circumstances, including whether the breach was intentional, will be considered in taking appropriate corrective action.

  • A failure to follow the rules includes, but is not limited to:
    • Failing to adhere to NCUA policies;
    • Failing to adhere to policy for safeguarding PII and maintaining security controls regardless of whether such action results in the loss of control or unauthorized disclosure of PII;
    • Exceeding authorized access to, or disclosing to unauthorized persons, PII;
    • For managers, failing to adequately instruct, train, or supervise employees in their responsibilities.

If you have any questions, please contact the NCUA Information System Security Officer at bimail@ncua.gov.


Additional guidance is provided in NIST Special Publication 800-63.

Last modified on
08/27/19