In 2018, the NCUA began piloting the use of the Automated Cybersecurity Examination Tool (ACET) based on the FFIEC's Cybersecurity Assessment Tool (CAT) to review credit unions. While the ACET mirrors the CAT in content, ACET provides additional features and details to help credit unions and the NCUA examine and benchmark the industry's cybersecurity preparedness.
What are the additional features of the ACET as compared to CAT? Let's take a look…
ACET is a spreadsheet
While the FFIEC Cybersecurity Assessment Tool (CAT) was called a tool, it was released in the form of a PDF download. This forced financial institutions to complete the tool manually on paper, to develop their own mechanism to electronically complete the assessment, or to use third-party software such as Tandem to complete the assessment. The ACET was released by the NCUA as a spreadsheet, partly, to provide credit unions a functional option for completing the CAT.
ACET includes a dashboard
The first sheet in the ACET spreadsheet is a dashboard. The dashboard provides summary information of the credit union, a completion status for the inherent risk profile and cybersecurity maturity, and inherent risk levels. The dashboard is helpful to let the credit union and their examiner see the completion status of the assessment.
ACET has an Admin sheet for NCUA examination use
ACET was primarily designed to be used during NCUA examinations; therefore, the NCUA included an Admin sheet to be used by NCUA examiners. This sheet is primarily used to calculate and track review hours used during the examination process.
ACET contains a document request list
Since ACET is used as an examination tool, or work program, a document request list was added. The current version (v032618) of the ACET does not have a hyperlink from each document request to any inherent risk questions or maturity statements. However, validation text added to these statements, in many cases, does reference back to the requested items.
ACET adds validation text to inherent risk statements
Answers to the inherent risk profile statements help institutions determine their overall cybersecurity inherent risk. ACET expanded these statements to include "Validation Approaches" for each inherent risk statement. The validation approaches language describes what an institution or examiner should review to answer, or validate the answer to, an inherent risk statement. In many cases, these validation approaches reference back to documents you can review from the document request list.
ACET summarizes maturity in a Maturity Details sheet
The ACET includes a sheet called "Mat. Details." This table provides a summary of the institution's maturity. Percentages of "Yes" answers are displayed by Component for each maturity level. This view provides a snapshot of the intuition's cybersecurity maturity across all of the Components.
ACET provides additional reporting fields for declarative statements
The ACET includes additional columns to help institutions document evidence or additional information related to each cybersecurity maturity declarative statement in the "Domain" sheets. The first additional column, Comment [Required for Yes(c)], was added for credit unions to have a place to explain the "Yes with compensating controls" answer. Two additional columns, Reviewed and Suggested Edits, were added to help examiners when reviewing the ACET.
ACET incorporates a guide with additional commentary and mappings
The ACET includes a sheet named "Guide" with additional commentary and mappings to help an institution or examiner understand and answer the cybersecurity maturity declarative statements. The additional columns include:
- Comment: commentary with additional details describing what is expected from the declarative statement and what value the control has on cybersecurity.
- Examination Approaches: describes what an institution or examiner should review to answer or validate the answer to a declarative statement.
- Baseline Mapping: mapping declarative statements to the FFIEC IT Examination Handbooks. These are the same mappings in the CAT Appendix A.
- NIST Mapping: mapping declarative statements to NIST.
ACET and Tandem
When the FFIEC Cybersecurity Assessment Tool (CAT) was first released, Tandem developed an application to aid in its use. Now Tandem has updated the tool to include the additional ACET features and to allow Credit Unions to complete the assessment through Tandem and download the results in the ACET spreadsheet format. The Tandem SaaS comes in both a free and paid version. Join more than 1,000 other financial institutions and sign up for the free Tandem Cybersecurity Assessment Tool today by visiting conetrix.com/tandem/cybersecurity-assessment-tool-ffiec.