The NCUA’s ACET (Automated Cybersecurity Evaluation Toolbox) application provides credit unions the capability to conduct a maturity assessment aligned with the Federal Financial Information Council’s (FFIEC) Cybersecurity Assessment Tool. Using the assessment within the toolbox allows institutions of all sizes to easily determine and measure their own cybersecurity preparedness over time.
The ACET self-assessment is completely voluntary and does not introduce any new requirements or expectations on credit unions. It is simply a tool that allows credit unions to identify and determine their levels of cybersecurity preparedness.
Using the Toolbox to conduct assessments on a regular basis may help institutions to:
- Identify areas of risk proactively, before there is a problem
- Determine the depth and breadth of cyber risk your institution is exposed to
- Discover the institution's preparedness to deal with the cyber threats it may face
- Make decisions about security processes and programs based on the true nature of existing risk
- Use a measurable and repeatable process to assess risk preparedness over time
- Understand, address, and mitigate cybersecurity risks
- The Toolbox also houses the CISA’s Ransomware Readiness Assessment (RRA).
Those with a NCUA-issued laptop should use the NCUA's internal Company Portal instead.
Installation Guidelines for the ACET
It is recommended that users meet the minimum system hardware and software requirements before installing ACET. Additional information is also published in the Quick Installation Guide and in the System Basics chapter of the ACET User Guide. (opens new window)
- Pentium dual-core 2.2 GHz processor (Intel x86 compatible)
- 6 GB free disk space
- 4 GB of RAM
- Microsoft Windows 10 or higher
- Microsoft .NET Framework 4.7 Runtime
- SQL Server 2012 Express LocalDB (included in ACET installation)
- IIS Express 8 (included in ACET installation)
Additional Guidance on Installation
- For all platforms, it is recommended the user upgrade to the latest Windows Service Pack and install critical updates available from the Windows Update website to ensure the best compatibility and security.
- If the install must be made through physical media, a USB port will be required.
- If desired, HTML reports will need to be converted to PDF using an external utility.
- If the Microsoft .NET Framework 4.7 Runtime is not available on the user's computer, ACET will automatically install it, which can add several minutes to the installation time.
- Internet Explorer isn't supported.
- The NCUA partnered with the Department of Energy’s Idaho National Laboratory to produce the ACET application. During installation, the certificate displayed will be from the Department of Energy (DOE) and is a trusted certificate.
Additional ACET Resources
- Quick Installation Guide (opens new window)
- User Guide (opens new window)
- Ransomware Readiness Assessment Guide (opens new window)
Other Cybersecurity Assessment Tools
The FFIEC has released a tool to help credit unions better evaluate their level of cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework
The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity. The RRA:
- Helps organizations evaluate their cybersecurity posture, with respect to ransomware, against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner.
- Guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices against the ransomware threat.
- Provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form.
The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.