What Does 12 CFR Part 748 Require for Credit Union Information Security Programs?

The core requirement: a written information security program

12 CFR Part 748, Appendix A implements the Gramm-Leach-Bliley Act (GLBA) information security requirements for credit unions. The regulation requires every federally insured credit union to develop, implement, and maintain a comprehensive written information security program (ISP) that includes administrative, technical, and physical safeguards appropriate to the credit union's size, complexity, and the nature of its activities.

"Written" is not a suggestion. An unwritten understanding that "IT handles security" is not a program. A collection of vendor brochures describing the firewall you purchased is not a program. NCUA expects a document that your board has reviewed, approved, and that staff can reference to understand their responsibilities.

What the ISP must contain

The regulation and its appendix require the ISP to address specific elements:

• Designation of a qualified individual. Someone must be responsible for coordinating the information security program. This does not have to be a dedicated CISO — at smaller credit unions it is often the CEO, COO, or IT manager — but the responsibility must be explicitly assigned and documented.
• Risk assessment. The ISP must be based on an assessment of reasonably foreseeable internal and external threats to the security, confidentiality, and integrity of member information. The assessment must evaluate the likelihood and potential damage of these threats and assess the sufficiency of current safeguards.
• Safeguards. Based on the risk assessment, the program must include safeguards to control the identified risks. These must cover employee training and management, information systems (access controls, encryption, monitoring), and detection and response to attacks, intrusions, or system failures.
• Service provider oversight. The ISP must address how the credit union selects and oversees third-party service providers that have access to member information. This includes due diligence before engagement and contractual requirements for the provider to maintain appropriate safeguards.
• Program updates.The ISP is not a one-time document. It must be adjusted based on testing results, changes to the credit union's operations, or other circumstances that may have a material impact on the program.

Board approval and annual certification

Part 748 places explicit governance requirements on the board of directors. The board must:

• Approve the initial written information security program
• Approve material changes to the program
• Receive regular reports on the overall status of the program and compliance

Additionally, the credit union's president or chief executive officer must certify annually to NCUA that the credit union has a written ISP in place that complies with Part 748. This certification is not a formality. Certifying compliance when the program is deficient creates personal accountability.

Independent testing requirements

Part 748 requires regular testing of key controls, systems, and procedures of the information security program. The testing must be independent — meaning it cannot be performed by the same people who designed or manage the controls being tested.

For most credit unions, this means one of two approaches:

• External assessment. Hiring a qualified third party to test your controls. This is the most common approach and provides the clearest independence.
• Internal audit. If your credit union has an internal audit function that is independent of IT and information security management, internal audit staff can perform the testing. At smaller credit unions, true independence is difficult to achieve internally.

NCUA examiners will ask to see the results of your most recent independent testing. If you cannot produce them, that is an immediate finding.

Incident response and reporting

Part 748 also includes requirements for responding to security incidents. Credit unions must develop and implement response programs that address:

• Assessment of the nature and scope of the incident
• Notification to appropriate parties, including NCUA and affected members when required
• Containment and remediation measures
• Preservation of evidence for investigation

Under NCUA rules, credit unions must report cyber incidents to NCUA within 72 hours of determining that a reportable incident has occurred. The bar for "reportable" is lower than many credit unions assume — it includes incidents that could impact the credit union's ability to deliver services, even if no member data was compromised.

Common compliance gaps

Based on NCUA examination findings, the most frequent deficiencies include:

• No written ISP at all, or a generic template that has never been customized to the credit union's actual environment
• Risk assessments that are outdated or do not cover all systems handling member information
• No evidence of board approval or annual certification
• No independent testing, or "testing" that consists only of a vulnerability scan without assessment of controls
• Service provider contracts that lack required security provisions

How BlackSheep helps

BlackSheep's credit union compliance platform is built around the requirements of 12 CFR Part 748. It provides a structured ISP template tailored to your credit union's size and services, guided risk assessments, vendor management tracking, independent testing documentation, and board-ready compliance reports — including the annual certification documentation your president needs.

The goal is to make Part 748 compliance manageable without a dedicated compliance staff.