What does NCUA 748 require?

NCUA 748 requires federally insured credit unions to maintain a board-approved information security program, base it on risk assessments, oversee service providers, perform independent testing, and support annual executive certification to NCUA.

Who has to approve the information security program?

The board of directors must approve the written information security program and material updates. The president or chief executive officer must certify annually that the credit union has a compliant program in place.

What evidence do examiners ask for under 12 CFR Part 748?

NCUA examiners commonly ask for the written information security program, risk assessments, board approvals, annual certification support, independent testing results, incident response documentation, and service-provider oversight records.

Credit unions · member data · exam-ready evidence

NCUA 748 compliance without last-minute exam scramble

12 CFR Part 748 requires credit unions to maintain a board-approved information security program, support annual certification, oversee vendors, and keep independent testing evidence ready for examiners. BlackSheep gives your team one operating system for the full NCUA 748 workflow.

Start Free Trial Book Demo

$249/month · Built for regulated teams · No credit card to start

Board-approved program

Annual

Executive certification cycle

Independent

Testing evidence expected

Ongoing

Vendor and remediation oversight

What NCUA 748 actually expects from your team

The regulation is not just a policy requirement. It creates an operating burden across governance, testing, response, and third-party oversight.

Board-approved information security program

12 CFR Part 748 expects a written program tailored to your credit union's size, services, and member-data exposure — not a generic template sitting in a shared drive.

Document administrative, technical, and physical safeguards
Map controls to member-information risks and operations
Track board approval and material updates

Annual certification and executive accountability

Your president or CEO certifies to NCUA that the program is in place and compliant. That means leadership needs a current system of record, not scattered spreadsheets and stale policy files.

Maintain a defensible certification package
Surface overdue remediation before attestation time
Show evidence behind each signed statement

Independent testing and exam-ready evidence

Credit unions need regular independent testing of key controls, systems, and procedures. Examiners will ask to see the latest results and what you did about them.

Store testing results and remediation follow-up in one place
Track ownership, due dates, and evidence uploads
Keep historical proof for repeat exams and audits

Common Part 748 gaps that slow credit union teams down

Most exam pain comes from fragmented evidence, weak follow-through, and workflows that live outside the actual compliance system.

Vendor oversight gaps

Service providers with access to member information need documented due diligence, contractual protections, and ongoing oversight.

See credit union vendor workflows

Incident response and reporting drift

Part 748 response programs need documented containment, notification, and evidence preservation steps that hold up under pressure.

Check your current gaps

Board reporting without evidence

Board packets often summarize status but cannot prove which controls, tests, and approvals support the certification story.

See credit union workflows

Keep evaluating:

Check your current gaps or see how BlackSheep supports credit union workflows tied to NCUA 748 requirements.

Check your current gaps See credit union workflows

Common questions about NCUA 748 compliance

What is the difference between NCUA 748 and 12 CFR Part 748?

They refer to the same core credit union information security requirement. Teams often say NCUA 748 conversationally, while the regulation itself is published as 12 CFR Part 748.

Does every federally insured credit union need a written information security program?

Yes. The program must be written, appropriate to the institution's size and complexity, and supported by risk assessments, safeguards, service-provider oversight, and regular updates.

What should a credit union keep ready for its next exam?

Keep the latest board-approved program, supporting risk assessments, service-provider oversight records, annual certification support, independent testing results, and remediation evidence ready to produce quickly.

How does BlackSheep help with NCUA 748?

BlackSheep gives credit unions one place to manage policies, evidence, risks, vendors, testing follow-up, and board-ready reporting so certification and exam prep are repeatable instead of last-minute fire drills.

Related frameworks

FFIEC IT Examination Handbook

Examination procedures credit union teams can map directly to their NCUA evidence set.

GLBA / FTC Safeguards

Broader information security obligations that overlap with vendor, risk, and control management.

Run NCUA 748 in one system instead of across scattered docs

Build a board-approved information security program, keep annual certification support current, track independent testing follow-up, and show exam-ready evidence without the usual scramble.

Start Free Trial Book Demo

$249/month. 30-day money-back guarantee.