The NCUA’s ACET (Automated Cybersecurity Evaluation Toolbox) application provides credit unions the capability to conduct a maturity assessment aligned with the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool. Using the assessment within the toolbox allows institutions of all sizes to easily determine and measure their own cybersecurity preparedness over time.
The ACET maturity assessment is completely voluntary and does not introduce any new requirements or expectations on credit unions. It is simply a tool that allows credit unions to identify and determine their levels of cybersecurity preparedness.
Using the Toolbox to conduct assessments on a regular basis may help institutions to:
- Identify areas of risk proactively, before there is a problem
- Determine the depth and breadth of cyber risk your institution is exposed to
- Discover the institution's preparedness to deal with the cyber threats it may face
- Make decisions about security processes and programs based on the true nature of existing risk
- Use a measurable and repeatable process to assess risk preparedness over time
- Understand, address, and mitigate cybersecurity risks
- The Toolbox also houses the CISA’s Ransomware Readiness Assessment (RRA)
This new version 22.214.171.124 includes security updates and performance improvements. This version no longer requires the use of IIS Express, and SQL Server 2012 Express LocalDB, which is no longer supported.
Those with a NCUA-issued laptop should use the NCUA's internal Company Portal instead.
Installation Guidelines for the ACET Toolbox
It is recommended that users meet the minimum system hardware and software requirements before installing the ACET toolbox. Additional information is also published in the Quick Installation Guide.
- Pentium dual core 2.2 GHz processor (Intel x86 compatible)
- 6 GB free disk space
- 4 GB of RAM
- Microsoft Windows 10 or higher
- Microsoft .NET Core 6.0 Runtime (included in ACET installation)
- SQL Server 2019 Express LocalDB (included in ACET installation).
Please note previous versions of the ACET Toolbox required SQL Server 2012 Express LocalDB which is no longer supported
Additional ACET Resources
Other Cybersecurity Assessment Tools
FFIEC Cybersecurity Assessment Tool (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
The FFIEC has released a tool to help credit unions better evaluate their level of cybersecurity preparedness. The Assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The Assessment incorporates cybersecurity-related principles from the FFIEC Information Technology (IT) Examination Handbook and regulatory guidance, and concepts from other industry standards, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework
CISA Ransomware Readiness Assessment (RRA) (opens new window) (You will be leaving NCUA.gov and accessing a non-NCUA website. We encourage you to read the NCUA's exit link policies. (opens new page).)
The RRA is a self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident. CISA has tailored the RRA to varying levels of ransomware threat readiness to make it useful to all organizations regardless of their current cybersecurity maturity. The RRA:
- Helps organizations evaluate their cybersecurity posture, with respect to ransomware, against recognized standards and best practice recommendations in a systematic, disciplined, and repeatable manner.
- Guides asset owners and operators through a systematic process to evaluate their operational technology (OT) and information technology (IT) network security practices against the ransomware threat.
- Provides an analysis dashboard with graphs and tables that present the assessment results in both summary and detailed form.
The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience as well as provide a gap analysis for improvement based on recognized best practices.