The National Credit Union Administration (NCUA) was created to insure and regulate the industry. Under the Federal Code of Regulations, Part 748, each federally insured credit union is required to develop a security program within 90 days of the effective date of insurance. To ensure that credit unions comply with federal cybersecurity requirements, the NCUA collaborates with the Federal Financial Institutions Examination Council (FFIEC) to set examination standards. A key part of these standards is hardening using CIS Benchmarks.
In this guide, we will provide the necessary background and context to understand and comply with the FFIEC’s hardening requirements. We will review each requirement and summarize exactly what you need to know to implement it. We will provide you with additional resources to support you. Next, we will examine the challenges involved in complying with, managing, and enforcing FFIEC system hardening requirements. We will then demonstrate the benefits of using a compliance automation solution, such as CalCom’s Hardening Suite (CHS).
What You Will Learn
- The importance of server hardening in the NCUA examination process
- The relationship between the NCUA and FFIEC
- The industry standards on which the examination standards are built
- The specific requirements you need to implement
- Each requirement within its particular context
- What actions do you need to implement and comply with these requirements
Free whitepaper on planning a hardening project
NCUA and FFIEC Hardening Standards: In-Depth Guide
Drawing on industry standards, existing industry standards, such as NIST SP800-53, the NIST Cybersecurity Framework (NCF), CIS Controls and Benchmarks, and PCI-DSS, the FFIEC creates examination standards. To assist NCUA members with the auditing process, the FFIEC publishes IT Examination Handbooks. A key part of this process is server hardening, which the FFIEC Information Security Handbook defines as:
The process of securing a computer’s administrative functions or inactivating those features not needed for the computer’s intended business purpose.
The following table summarizes the FFIEC’s hardening requirements:
| Domain (Handbook) | Requirement | Requirement | References |
|---|---|---|---|
| Information Security and Risk Management | II.C, Risk Management | Off-the-shelf hardware and software must be hardened. | CIS Benchmarks |
| Appendix A: Objective 6 | Determine whether hardening is part of an organization’s change management process. | ||
| Architecture, Infrastructure, and Operations | V.B.1 Network | Network components, including networking hardware and software, must be hardened to ensure security. | NIST Checklist Program |
| Development, Acquisition, and Maintenance | IV.B Commercial-off-the-Shelf | Hardening policies must include changing default passwords, configuring system security settings, enabling logging, and regular backups. | CIS Critical Security Control 7: Continuous Vulnerability Management |
| V.C.2 DevSecOps | CI/CD pipelines, including servers hosting code and artifact repositories, must be hardened. | NIST SP 800-204C |
Let’s take a deeper look at these requirements.
Information Security and Risk Management
The foundations of the FFIEC cybersecurity requirements are described in the FFIEC Information Security Handbook. The guide’s main hardening recommendations are described in Section II.C, Risk Management, as part of the subsection II.C.10 Change Management Within the IT Environment. Under II.C.10(b) Hardening, the guide discusses hardening in the context of commercial off-the-shelf (COTS) software, including networking equipment, servers, client devices (desktops, laptops, smart phones, tablets, etc), and software (operating systems, applications, etc). Additionally, it recommends removing unnecessary software and services, installing software updates and patches, and implementing strict access controls to manage user privileges.
The handbook also discusses hardening as part of Appendix A: Examination Procedure:
Objective 6: Determine whether management effectively implements controls to mitigate identified risk.
Requirement 11 requires examiners to determine whether hardening is performed as part of an organization’s change management process for systems and applications. Requirement 13 extends system hardening to include services, security patches, access control, and privilege management.
These requirements can be implemented using CIS Benchmarks. These provide configuration and hardening guidance for more than twenty-five product families as part of a global cybersecurity initiative.
Architecture, Infrastructure, and Operations
The Information Security Handbook looks at hardening in the context of individual devices, hardware, and software. In today’s network infrastructure, devices do not work in isolation. Instead, they share resources and communicate with each other over a network. The Architecture, Infrastructure, and Operations handbook takes this into account and expands the scope of hardening accordingly. Section II.C Policies, Standards, and Procedures states that hardening procedures are required as part of an organization’s Architecture, Infrastructure, and Operations (AIO) policies. In addition, Section V.B.1 Network extends the Information Security’s hardening recommendations to network components, including networking hardware and software.
Development, Acquisition, and Maintenance
IT infrastructure is not static; it dynamically changes and evolves over time. Although the speed of changes will vary according to an organization’s needs, these changes exist as defined stages. As its name suggests, the Development, Acquisition, and Maintenance Handbook divides the IT operational lifecycle into three distinct phases, establishing new requirements and recommendations for each stage.
Starting with Section IV Common Development, Acquisition, and Maintenance Risk Topics, the Action Summary states that system controls, such as secure coding requirements and baseline configuration, must be included in security controls that harden systems and components.
Section IV.B, Commercial-off-the-Shelf, examines the acquisition process by revisiting the Information Security Handbook and includes further recommendations, such as changing default passwords, configuring system security settings, enabling logging, and performing regular backups.
In recent years, many operations teams have adopted the DevOps methodology. Section V.C.1 defines DevOps as:
“A set of practices for automating the processes between software development and information technology operations teams so that they can build, test, and release software faster and more reliably.”
It recommends that DevOps practices can be used to automate configuration management and server hardening. Section V.C.2 DevSecOps recommends a newer form of DevOps that integrates secure processes into DevOps processes. It adopts NIST SP 800-204C requirement that, as part of a CI/CD pipeline, servers hosting code and artifact repositories must be hardened.
From Theory to Practice: Implementing NCUA and FFIEC Server Hardening
Managing and enforcing NCUA and FFIEC is a challenge for any IT and operations team in organizations of any size; however, the scale of the challenge increases proportionally to the organization’s size and its server and networking infrastructure. This poses a fundamental challenge to organizations managing large server environments, as implementing and managing secure baselines is both labor-intensive and error-prone. Enforcing baselines on production servers might create system outages and application malfunctions.
We started this article with the Federal Regulation Part 748, which requires each federally insured credit union to develop a security program. Next, we explained how the NCUA and FFIEC work together to audit credit union cybersecurity compliance. We demonstrated how server hardening is a key element of the examination process, and how this relates to CIS Benchmarks. This was followed by an in-depth examination of each specific hardening requirement as presented in its source IT Examination handbook. Using this information, you can understand the size and complexity of the challenge and start planning how to manage your organization’s NCUA compliance.
Key Takeaways
- The background behind the NCUA cybersecurity recommendations
- How the NCUA and FFIEC work together, and the roles of each organization within the regulatory process
- An understanding of why hardening is a key component of the compliance process
- Using CIS Benchmarks to implement server hardening
- The key requirements you need to comply with
- An in-depth knowledge of each requirement
- How to implement each hardening requirement
How CalCom Can Help You
This article demonstrates the central role of system hardening in the NCUA regulatory process and the FFIEC examination process. As we have seen, an essential requirement of this process is system hardening. To complete a successful audit, hardening is necessary across your entire IT infrastructure. Hardening your system manually across your organization can be error-prone and time-consuming. An automated hardening solution will help you achieve better results more quickly.
CalCom’s Hardening Suite (CHS) is a baseline hardening solution designed to address the needs of IT operations and security teams. CHS significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment. CHS’s automated process simulates the effect of a change in a production environment, thus saving the need for testing changes in a lab environment. CHS enables you to:
- Deploy security baselines without affecting the production services.
- Reduce the costs and resources for implementing compliance.
- Manage hardening baselines for your entire infrastructure from a single point.
- Avoid configuration drifts and repeated hardening processes.
To learn more, go to our resources page and download our datasheets and white papers.
