NEWS: The Federal Financial Institutions Examination Council (FFIEC) – a group of federal financial regulators that includes the NCUA – has issued a new booklet to help examiners assess information technology (IT) practices.
Highlights of the new “Development, Acquisition, and Maintenance” booklet include:
- The booklet outlines principles and practices for managing development, acquisition, and maintenance (“DA&M”), describing principles and practices that examiners review to assess a credit union’s DA&M functions. The booklet also helps examiners determine whether management adequately addresses risks related to DA&M and delivery of critical financial products and services.
- This booklet focuses on enterprise-wide, process-oriented approaches that relate to the development of IT systems and components within the overall enterprise and business structure, acquisition of IT systems and components, and maintenance of IT systems and components to provide ongoing value for members.
- The booklet also contains updated procedures to help examiners evaluate the adequacy of a credit union’s programs related to DA&M. The booklet focuses on assessing a credit union’s governance of common DA&M-related risks, enterprise-wide IT development planning and design, acquisition of IT systems and components, and maintenance and change control processes.
- The new booklet replaces the “Development and Acquisition” booklet issued in April 2004. The change in the title reflects the expanded role IT plays in supporting enterprise and business operations and meeting internal and external expectations.
- The industry principles and frameworks included provide examiners with a durable means to assess development, acquisition, and maintenance. The booklet does not impose new requirements.
New booklet is part of an IT series
The new booklet is just one in a series of IT-related booklets that make up the FFIEC’s “Information Technology Examination Handbook” The others are:
- Audit
- Business Continuity Management
- Development, Acquisition, and Maintenance
- Information Security
- Management
- Architecture, Infrastructure, and Operations
- Outsourcing Technology Services
- Retail Payment Systems
- Supervision of Technology Service Providers
- Wholesale Payment Systems
- Archived Booklets
FFIEC also sunsetting its Cybersecurity Assessment Tool
The FFIEC also recently announced the sunsetting of its Cybersecurity Assessment Tool on August 31, 2025. It was released in 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness.
While this decision impacts the broader financial services industry, NCUA’s Automated Cybersecurity Examination Tool (ACET) will continue to be supported and remain available for credit unions to use. The ACET is available for free download on the NCUA’s website.
An NCUA announcement said:
As geopolitical events evolve, credit unions of all sizes must understand and operate under the assumption that they remain targets of not just cybercriminals, but foreign nations that intend to cause harm to critical infrastructure in the United States—of which credit unions are a vital part. As such, the NCUA encourages credit unions to use the ACET as a tool for assessing cybersecurity preparedness levels. The ACET has been tailored specifically for credit unions and includes a user-friendly application interface, enhanced reporting features, and supplementary information. The ACET also includes added information and reporting capabilities not found in the FFIEC’s Cybersecurity Assessment Tool.
Please visit the NCUA’s Cybersecurity Resource Center for additional tools and resources. …
The NCUA continues to encourage credit unions to use the ACET as a critical component of their cybersecurity assessment and risk management practices.
For questions or concerns regarding the ACET or cybersecurity in general, please contact your NCUA examiner.