AWS Public Sector Blog

How credit unions can evaluate their FFIEC, NCUA cyber compliance using AWS

Note: Security and compliance is a shared responsibility between AWS and the customer. The Shared Responsibility Model can help relieve a customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities where the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software, as well as the configuration of any AWS security products. This blog post is provided for information purposes only and is not part of, and does not modify, any agreement between AWS or any customer. Customers are responsible for managing their own compliance with FFIEC, NCUA, and other requirements.

AWS branded background with text overlay that says "How credit unions can evaluate their FFIEC, NCUA cyber compliance using AWS"

Credit unions face unique security, regulatory, and compliance obligations. These requirements mean that a sound cybersecurity posture is essential for credit unions across both cloud workloads and on-premises technology. Amazon Web Services (AWS) can help credit unions prepare for audits, assess security posture, and produce documentation for state or federal regulators.

This blog post outlines how credit unions can use AWS to evaluate their compliance with Federal Financial Institutions Examination Council (FFIEC) and National Credit Union Administration (NCUA) requirements.

Supporting FFIEC, NCUA compliance with AWS services

Credit unions can utilize the following AWS services to evaluate their compliance with FFIEC and NCUA cyber requirements. While each service can be used separately for its respective purpose, using them together typically provides a customer the most-comprehensive evaluation of their FFIEC and NCUA compliance. Figure 1 features a high-level architecture for evaluating workloads for FFIEC and NCUA compliance.

Figure 1. Architectural diagram of the AWS-native solution described in this blog, including AWS Config, AWS Identity and Access Management (IAM), AWS Security Hub, and AWS Audit Manager.

For a step-by-step guide on enabling AWS Config, AWS Identity and Access Management (IAM), AWS Security Hub, and AWS Audit Manager, complete the no-cost Evaluating FFIEC Compliance with AWS workshop.

To build an AWS-powered solution to evaluate your compliance states, consider the following:

Pick the right audit tool 

The NCUA developed the Automated Cybersecurity Evaluation Toolbox (ACET) based on the FFIEC’s Cybersecurity Assessment Tool (CAT) to help credit unions identify risks and evaluate their cybersecurity readiness. The NCUA aligns with the FFIEC in encouraging credit unions to adopt a standardized approach or tool like the ACET or the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) to prepare for an audit. Where AWS customers have control of their AWS operating systems, network settings, and traffic routing, AWS tools can be used to access and audit AWS resources, like AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) to identify external access to AWS resources.

Prepare with AWS Audit Manager

AWS Audit Manager provides prebuilt frameworks that are mapped to the Center for Internet Security’s (CIS) Critical Security Controls, the Payment Card Industry Data Security Standard (PCI DSS), and NIST standards (among others) to assist with audit preparation. Audit Manager automates evidence collection to make it simpler to assess if an organization’s policies, procedures, and activities are operating effectively. 

Continuously assess through AWS Security Hub

AWS Security Hub is a cloud security posture management service that performs automated, continuous security best practice checks against your AWS resources across Regions and accounts. Security Hub aggregates security findings from multiple AWS services and partner products into a centralized location so it is simple to review and act on them. Security Hub can evaluate resources against certain standards set by the customer; available standards include the CIS AWS Foundations Benchmark and PCI DSS, among others. Security Hub findings can be automatically remediated through Amazon EventBridge, which can trigger actions like invoking an AWS Lambda function to remove unused IAM user credentials, notifying an Amazon Simple Notification Service (Amazon SNS) topic for email reporting, or sending findings to a third-party incident response and management tool. AWS offers the Automated Security Response on AWS solution, which is an open source implementation of automated response and remediation.

Deploy AWS Config conformance packs

AWS Config provides AWS resource inventory, configuration history, and configuration change notifications. AWS Config offers a collection of rules and remediation actions to enable security and governance best practices. AWS Config conformance packs simplify deployment of AWS Config policies by deploying multiple rules as a single unit. These conformance packs can neither replace your internal efforts nor guarantee that you will pass a compliance assessment, but they do help verify compliance.

Credit unions can use the AWS Config operational best practices for FFIEC conformance pack. This conformance pack provides sample mappings between the FFIEC CAT/NCUA ACET Inherent Risk Profile and Cybersecurity Maturity domains and AWS managed Config rules. Each AWS Config rule applies to a specific AWS resource and relates to one or more FFIEC CAT controls. Credit unions may aggregate AWS Config findings into Security Hub for a centralized view of security findings.

Extending AWS capabilities to on-premises when applicable

Credit union customers may opt for a hybrid cloud model, using both cloud and on-premises infrastructures. To evaluate on-premises resources for FFIEC and NCUA compliance, customers can aggregate security findings from some services and third-party integrations into Security Hub. From there, customers can identify on-premises servers for remediation. Figure 2 depicts a high-level architecture to support the evaluation of on-premises resources for FFIEC and NCUA compliance.

Figure 2. Architecture diagram of extending AWS Security Hub and AWS Config security checks to an on-premises environment.

This architecture operates as follows:

  • An AWS Site-to-Site VPN establishes a secure connection between AWS and the on-premises environment.
  • An AWS Systems Manager Agent (SSM Agent) installed on the on-premises servers collects logs that are stored in Amazon CloudWatch.
  • Security Hub integrates with third-party products, such as those in the AWS Marketplace, and aggregates the third-party findings into Security Hub for centralized viewing. EventBridge then triggers a custom action, like invoking the AWS Systems Manager Run Command to manage the configuration of on-premises servers and remediate security risks.
  • AWS CloudFormation registers on-premises servers as custom resources in AWS. Once these custom resources are registered, AWS Config rules and conformance packs may be applied. EventBridge then triggers a custom action, such as invoking the AWS Systems Manager Run Command to manage the configuration of on-premises servers and remediate security risks.

Stay current with NIST standards in the AWS Cloud 

The NCUA uses the NIST CSF as a basis for its assessments of a credit union’s cybersecurity maturity. The NIST CSF is a risk-based, outcome-focused framework designed to help commercial and public sector entities of any size manage cybersecurity risk. In March 2023, Security Hub launched support for the NIST SP 800-53 Revision 5, a cybersecurity and compliance framework developed by NIST, allowing customers to run automated checks against 121 security controls. The whitepaper Aligning to the NIST CSF in the AWS Cloud outlines how credit unions can map AWS Cloud resources to the NIST CSF. Staying current with these standards can help customers address compliance best practices both in their on-premises and AWS environments.

Conclusion

Maintaining regulatory compliance is essential for credit unions. While customers must still audit their AWS workloads to validate compliance with FFIEC and NCUA cyber requirements, AWS can make it simple for credit union customers to evaluate their cloud and on-premises resources for compliance with those requirements and to get notified to remediate resources that are not in compliance.

Many credit unions rely on AWS to modernize their infrastructure, meet rapidly changing customer behaviors and expectations, and drive growth through innovation. By improving security, optimizing services, and enhancing member experiences, AWS empowers credit unions to differentiate themselves today and adapt to the needs of tomorrow. Learn more about digital transformation for credit unions at the AWS for Credit Unions hub. 

Do you have questions about how to evaluate regulatory compliance with AWS? If you’re an AWS customer, reach out to your AWS solutions architect or account manager to start building a roadmap. Otherwise, contact the AWS public sector sales team directly for more information.

For more about how AWS helps nonprofits achieve their missions, visit the AWS for Nonprofits hub.