FFIEC IT Handbook & NCUA Part 748
The primary regulatory sources governing penetration testing and technical security assessments for U.S. financial institutions and federally insured credit unions
Compliance Guide
FFIEC / NCUA Penetration Testing Requirements and How Sprocket Security Satisfies Them
The FFIEC IT Handbook and NCUA 12 CFR Part 748 establish examiner expectations for information security programs at banks, credit unions, and other financial institutions. Penetration testing is a core component of demonstrating a mature, risk-based security posture.
Annual (risk-based)
Examiners expect testing frequency to reflect the institution's risk profile. Higher-risk institutions face expectations of more frequent, broader-scope testing
64%
Of financial institution network perimeter engagements uncover a critical or high-severity finding on first test
The Requirement
What FFIEC / NCUA Actually Requires
The FFIEC and NCUA don't hand you a checklist. They hand your examiners a set of expectations, and then they grade your program against them during an exam. Understanding what "adequate" penetration testing looks like in examiner terms is the difference between a clean report and a stack of Matters Requiring Attention.
| REQUIREMENT | WHAT IT MEANS IN PRACTICE | HOW SPROCKET SATISFIES THE REQUIREMENT |
|---|---|---|
| Independent Testing | The FFIEC Information Security booklet explicitly calls for penetration testing conducted by qualified, independent parties to simulate real-world attacks against the institution's network and systems. Testing must reflect the institution's risk profile and be performed with sufficient scope to validate control effectiveness. | Sprocket provides fully independent penetration testing conducted by certified operators with no connection to the institution's internal security team. Every engagement follows a documented methodology and produces a structured report examiners can review directly. |
| Vulnerability Assessment | Institutions must regularly identify and remediate vulnerabilities across their environment. Examiners distinguish between automated scanning (necessary but insufficient) and genuine adversarial penetration testing. Both are expected at mature institutions. | Sprocket's continuous model combines automated attack surface monitoring with human-led adversarial testing, giving institutions both coverage breadth and depth of exploitation. Findings are tracked in a live dashboard with remediation status, not buried in a static PDF. |
| NCUA 12 CFR Part 748 | Federally insured credit unions must maintain a written information security program that includes ongoing risk assessment, controls testing, and response planning. NCUA examiners use the FFIEC IT Handbook as their assessment framework, making the booklet's penetration testing expectations directly applicable to credit unions. | Sprocket engagements produce a complete evidence package: scope documentation, methodology attestation, technical findings with severity ratings, and a remediation record. These are the components an NCUA examiner expects to see when reviewing an institution's security program. |
| FFIEC Cybersecurity Assessment Tool (CAT) | The CAT maps penetration testing to the "Innovative" maturity tier for threat intelligence and testing practices. Institutions self-assessing at Intermediate or above are expected to demonstrate regular adversarial testing, not just annual scans. | Sprocket's continuous testing cadence positions institutions at the Innovative maturity level for adversarial testing practices in the CAT, with on-demand evidence to support self-assessments and examiner review. |
| FFIEC Vendor Management Guidance | Third-party service providers must be included in the institution's overall risk assessment. Examiners expect security testing to account for vendor access paths and integrations, not just the institution's own perimeter. | Sprocket's attack surface management includes external exposure from third-party integrations and vendor access paths. Targeted vendor-access testing is scoped as part of broader FFIEC engagements where examiner scrutiny of third-party risk is elevated. |
| NCUA Supervisory Priorities | NCUA examination letters consistently identify cybersecurity as a top supervisory priority, with specific attention to whether credit unions are conducting meaningful technical security assessments and remediating findings on documented timelines. | Sprocket's remediation tracking and re-test workflow closes the loop examiners want to see: finding identified, remediation tracked, control re-tested and verified. That cycle is documented and exportable before the exam team arrives. |
Why Continuous Testing
Benefits of Continuous Penetration Testing For FFIEC / NCUA Compliance
Examiner-ready evidence, always current.
Sprocket's live dashboard gives your security and compliance teams exportable evidence of ongoing testing activity, remediation status, and control validation. No PDF dated eleven months ago.
MRA closure before the exam.
When findings are identified continuously and remediated on a documented timeline, institutions arrive at examinations with a track record of proactive risk management, not a list of issues to explain.
Scope that reflects your actual risk profile.
Examiners expect testing scope to match the institution's risk environment. Sprocket's continuous model expands naturally as your environment grows. New systems, new integrations, and new vendor relationships are incorporated without waiting for the next annual engagement.
Defensible board-level reporting.
Board members are increasingly named in FFIEC and NCUA exam discussions on cybersecurity governance. Sprocket produces executive-ready summaries that give boards and audit committees substantive security posture reporting, not just a clean/pass attestation.
Vendor and third-party coverage.
FFIEC examiners explicitly expect institutions to understand and test the risk their vendors introduce. Sprocket's external attack surface monitoring includes third-party exposure, giving institutions a view of their environment the way an attacker and an examiner would see it.
Remediation documentation that survives scrutiny.
Every finding Sprocket identifies includes severity, exploitability context, and remediation guidance. When a finding is remediated and re-tested, the record is preserved, giving examiners the audit trail they want and protecting the institution if a gap is later questioned.
What we find
Common FFIEC / NCUA Findings Sprocket Surfaces
Core Banking System Accessible via Flat Network from Compromised Branch Workstation
Branch workstations, ATM management terminals, and back-office endpoints share a flat network with core banking infrastructure. No network segmentation separates teller workstations from the systems processing loan origination, wire transfers, and account maintenance. A single compromised endpoint in any branch location provides direct TCP access to core banking APIs without traversing a firewall or authentication boundary.
Online Banking Authentication Bypass via Legacy Password Reset Flow
The institution's online banking platform implements strong MFA for primary login but maintains a legacy password reset flow — accessible via a separate subdomain — that authenticates users via knowledge-based questions (KBA) and SMS OTP only, without requiring the enrolled MFA device. The reset flow accepts account numbers and date of birth as identity verification, both fields routinely available from breach databases and social media. A successful password reset disables MFA enrollment on the account.
FAQ
FFIEC / NCUA Penetration Testing — Frequently Asked Questions
Does FFIEC or NCUA explicitly require penetration testing, or is it just a best practice?
The FFIEC Information Security Booklet explicitly calls for penetration testing by qualified, independent parties as a component of an effective information security program. This is examiner expectation, not optional guidance. For credit unions, NCUA examiners use the FFIEC IT Handbook as their assessment framework, making that expectation directly applicable. Institutions that present only automated scanning without adversarial testing consistently receive examiner findings on program adequacy.
How often do examiners expect penetration testing to occur?
The FFIEC framework is risk-based rather than prescriptive. It doesn't set a fixed annual cadence in statute. In practice, examiners expect testing frequency to reflect the institution's risk profile: size, complexity, third-party dependencies, and recent changes to the environment. For most institutions, annual testing is the floor, and any significant infrastructure change, acquisition, or new product launch triggers an expectation of additional testing. Sprocket's continuous model satisfies the risk-based expectation across all institution profiles.
What does "independent" mean in the FFIEC context?
Examiners expect organizational independence from the systems being tested, meaning the testers should not be the same individuals or teams responsible for building, operating, or managing the environment under test. Internal security teams can conduct some components of a security testing program, but penetration testing performed by an external third party carries more weight with examiners, particularly at institutions above $1B in assets or those with elevated risk profiles.
Our exam is coming up in three months. Is it too late to get useful penetration testing results?
No. Getting a test on record before the exam is significantly better than arriving without one. Sprocket can scope and launch an engagement quickly. Even if not all findings are remediated before the exam, an institution that has conducted testing, documented findings, and established a remediation timeline demonstrates a materially stronger security posture than one without current testing evidence. Examiners respond differently to institutions that show they've identified and are actively managing risk versus those where gaps are discovered during the exam itself.
How do I map Sprocket's findings to the FFIEC Cybersecurity Assessment Tool (CAT)?
The CAT maps specific security practices to maturity levels across five domains. Sprocket's engagement reports include findings and control observations that map to the CAT's Risk Management and Oversight and Cybersecurity Controls domains, particularly the Threat Intelligence and Testing baseline and evolving statements. Sprocket can provide CAT-aligned output as part of the engagement deliverables to support your self-assessment documentation.
What happens if Sprocket finds a critical vulnerability right before an exam?
You're better off finding it than having an examiner or attacker find it first. A critical finding before an exam, with a documented remediation plan and evidence of active response, demonstrates exactly the kind of proactive security program examiners want to see. Sprocket's remediation tracking workflow documents the discovery, severity rating, response timeline, and re-test verification, giving your compliance team the complete record to present during the examination.
Other Frameworks Sprocket Supports
OTHER FRAMEWORKS SPROCKET SECURITY SUPPORTS
DORA Penetration Testing That Satisfies Your Supervisory Authority
ISO 27001 Penetration Testing Requirements and How Sprocket Security Satisfies Them
NIST CSF Penetration Testing Requirements and How Sprocket Security Satisfies Them
PCI-DSS Penetration Testing Requirements and How Sprocket Security Satisfies Them
SOX Penetration Testing Requirements and How Sprocket Security Satisfies Them
SWIFT CSP Penetration Testing Requirements and How Sprocket Security Satisfies Them
