Cybersecurity Resources

​​​​​NCUA recognizes the importance of cybersecurity and using the web safely and securely.

The information on this page is offered as resources for research and informational purposes. It may not reflect all of the requirements or guidance in this area and should not be construed as requirements except as noted. The NCUA does not endorse any vendor, service, or product.

When you access the links below, you might leave the NCUA’s site.​


NCUA Regulations and Guidance

​​Examiner’s Guide

The Examiner's Guide sets out guidance for an examiner on the NCUA's examination and supervision of credit unions. The primary goal is to ensure the overall safety and soundness of the credit union system via a risk-focused examination and supervision program. Chapter 6 provides guidance on information systems and technology.

AIRES IT Exam Questionnaires

The NCUA has updated its IT examination questionnaires to facilitate an increased risk focused review of a credit union’s information technology environment. The updated IT questionnaire workbook consists of two tiers: Tier I questionnaires focuses on the highest priority review areas, including electronic banking, while Tier II questionnaires are designed to address more technical network, security, and related technology issues. The new IT questionnaires now include a second workbook with two questionnaires for generalist examiners to review credit union information security programs, electronic banking security, and website compliance. Please note that most questions include comments to provide additional context or terminology for better comprehension.

U.S. flag

Federal Government Requirements and Guidelines

FFIEC Cybersecurity Assessment Tool Frequently Asked Questions​

The NCUA expects credit unions to have the appropriate procedures in place to anticipate, identify, and mitigate cybersecurity risks.Specific expectations can be found in the body and appendices of Part 748 of NCUA regulations​as well as the FFIEC IT Examination Handbooks. ​FFIEC’s cybersecurity assessment tool is provided to help them assess their level of preparedness, and NCUA examiners will use the tool as a guide for assessing cybersecurity risks in credit unions. Credit unions may choose whatever approach they feel appropriate to conduct their individual assessments, but the assessment tool would still be a useful guide. FFIEC has posted frequently asked questions about the assessment tool here.

FFIEC Cybersecurity Assessment Tool

The FFIEC has released a new tool to help credit unions better evaluate their level of cybersecurity preparedness.

NIST Special Publications

Special Publications in the 800 series present documents of general interest to the computer security community. The Special Publication 800 series was established in 1990 to provide a separate identity for information technology security publications. This Special Publication 800 series reports on ITL's research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations.

Security and Privacy Controls for Federal Information Systems and Organizations


paper figures

Information Sharing Forums on Cyber Threats

Financial Services Information Sharing and Analysis Center

Launched in 1999, FS-ISAC was established by the financial services sector in response to 1998's Presidential Directive 63. That directive - later updated by 2003's Homeland Security Presidential Directive 7 - mandated that the public and private sectors share information about physical and cybersecurity threats and vulnerabilities to help protect the U.S. critical infrastructure.

National Credit Union Information Sharing Analysis Organization

Following the signing of the Cybersecurity Information Sharing Act (CISA) into law, the National Credit Union ISAO was established in 2016 to address the unique needs of the nation’s Credit Unions, advancing cyber resilience through information sharing, education, operational guidance, and regulatory compliance.

FFIEC Cybersecurity Assessment General Observations

Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement

United States Computer Emergency Readiness Team (US-CERT)

The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans. US-CERT strives to be a trusted global leader in cybersecurity – collaborative, agile, and responsive in a dynamic and complex environment.

FBI Infragard

InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the U.S.

pencil, protractor, blueprints

Best Practices

Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook Infobase

The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.

IT Booklets

Twenty Critical Security Controls for Effective Cyber Defense

The Critical Security Controls effort focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness. Standardization and automation is another top priority, to gain operational efficiencies while also improving effectiveness. The US State Department has previously demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.

SANS Reading Room Best Practices

The SANS Institute was established in 1989 as a cooperative research and education organization. Its programs now reach more than 165,000 security professionals around the world. A range of individuals from auditors and network administrators, to chief information security officers are sharing the lessons they learn and are jointly finding solutions to the challenges they face. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community.

Technical Guide to Information Security Testing and Assessment

books in a library

Additional Resources


FAQs on Ransomware and Supply Chain Risk Management

Ransomware Information
Payment Card Industry (PCI)

FFIEC InfoBase Booklets

Business Continuity Planning
Development and Acquisition
Information Security
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers (TSP)
Wholesale Payment Systems

FFIEC InfoBase NCUA Resources

Business Continuity Planning
Information Security
Outsourcing Technology Services
Retail Payment Systems

Federal Reserve Financial Services – Federal Reserve Bank Operating Circulars

Federal Reserve System - Regulations

  • 12 CFR 205 – Electronic Fund Transfers (Regulation E)
  • 12 CFR 210 – Collection of Checks and Other Items by Federal Reserve Banks and Funds Transfers through Fedwire (Regulation J)
  • 12 CFR 229 – Availability of Funds and Collection of Checks (Regulation CC) (Check Clearing for the 21st Century Act)
  • 12 CFR 233 – Prohibition on Funding of Unlawful Internet Gambling (Regulation GG)
  • 31 CFR Chapter X - Financial Crimes Enforcement Network, Department of the Treasury (Bank Secrecy Act)

FFIEC Bank Secrecy Act / Anti-Money Laundering Examination Manual

NACHA Operating Rules

Uniform Commercial Code Article 4A

Last modified on