Building a Compliant IT Framework for Community Banks and Credit Unions

Justin Kirsch | | 11 min read
Building a Compliant IT Framework for Community Banks and Credit Unions

What You'll Learn

A single failed FFIEC examination costs the average community bank or credit union between $50,000 and $250,000 in remediation. That figure does not count the operational drag while your IT team scrambles to fix findings instead of supporting the business. The FFIEC sunset its Cybersecurity Assessment Tool (CAT) on August 31, 2025, directing financial institutions toward NIST CSF 2.0 and CIS Controls as the new baseline. If your IT framework has not caught up, examiners will notice.

Building a compliant IT framework is not about checking boxes on a spreadsheet once a year. It is about wiring compliance into the infrastructure so your systems stay audit-ready between examinations, not just during them.

This guide breaks down what bank and credit union IT teams need to build, maintain, and prove to regulators in 2026.

739 data compromises hit the financial services sector in 2025. more than any other industry for the second consecutive year Source: Identity Theft Resource Center, 2025 Annual Data Breach Report

The Regulatory Landscape Banks and Credit Unions Face in 2026

Community banks and credit unions operate under overlapping federal and state regulations. The Gramm-Leach-Bliley Act (GLBA) sets the federal floor. The FFIEC's Interagency Guidelines Establishing Information Security Standards (12 CFR Parts 30, 364, and 748) define what examiners expect. State regulators add their own layers. and enforcement is accelerating.

The biggest shift in 2025-2026 is the post-CAT compliance framework. The FFIEC retired the CAT and now points institutions toward three alternatives:

  • NIST Cybersecurity Framework 2.0 with its six core functions: Govern, Identify, Protect, Detect, Respond, Recover
  • CISA Cybersecurity Performance Goals (CPGs) including sector-specific targets for financial services
  • CIS Controls v8.1 providing prioritized technical safeguards ranked by implementation group

For credit unions specifically, the NCUA lists cybersecurity as its top 2026 supervisory priority. Examiners are reviewing how credit unions identify, measure, monitor, and control risks through sound modeling practices. The NCUA Board also requires federally insured credit unions to report substantial cyber incidents within 72 hours of discovery. a timeline that demands detection capabilities far beyond annual assessments.

For community banks, the OCC and FDIC expect documented alignment with one of the FFIEC-endorsed frameworks, evidence of continuous monitoring, and current risk assessments. The FSOC's 2025 Annual Report flags cyber risk at financial institutions as a key systemic concern, with expanded third-party service provider examinations on the horizon.

Why This Matters Right Now

The FFIEC's retirement of the Cybersecurity Assessment Tool is not a relaxation of standards. it is an escalation. The CAT was a static self-assessment. The replacement frameworks (NIST CSF 2.0, CIS Controls, CISA CPGs) demand ongoing monitoring, documented evidence of continuous improvement, and risk assessments tied to your specific environment. Financial institutions that built their compliance programs around the CAT five years ago are now operating on an outdated foundation that examiners will flag.

Five Pillars of a Compliant IT Framework for Financial Institutions

A compliant IT framework for banks and credit unions rests on five pillars. Skip one, and the whole structure wobbles during an exam.

Compliant IT Framework on Microsoft 365 for community banks and credit unions: six control domains including Identity and Access via Microsoft Entra ID, Data Protection via Microsoft Purview, Endpoint Security via Microsoft Defender for Endpoint and Microsoft Intune, Email and Collaboration via Microsoft Defender for Office 365, Audit and Governance via Microsoft Purview Audit Premium and Microsoft Sentinel, Vendor Risk via Microsoft Service Trust Portal. Anchored to FFIEC IT Examination Handbook, NCUA Part 748, OCC, GLBA Safeguards.
The Compliant IT Framework on Microsoft 365 for community banks and credit unions. Source: Microsoft Learn, FFIEC IT Handbook, NCUA Part 748, 2026.

1. Identity and Access Management

Every compliance framework starts with controlling who can access what. For financial institutions handling customer PII, Social Security numbers, account credentials, and financial records, weak access controls are the fastest path to a finding.

The technical requirements include:

  • Multi-factor authentication (MFA) on all systems that touch customer data, including your core banking system, document management, and email
  • Conditional Access policies that block legacy authentication protocols and enforce device compliance
  • Role-based access control (RBAC) so tellers see transaction data, not HR records
  • Privileged access management for admin accounts, with time-limited elevation and full audit logging

Microsoft Entra ID handles all four when configured correctly. The gap most institutions face is not missing tools. It is incomplete configuration. Your tenant has the capabilities. The question is whether someone has turned them on and tested them.

2. Data Protection and Encryption

GLBA and the Interagency Guidelines explicitly require protection of customer information both in transit and at rest. That means TLS 1.2 or higher for all data transmission and AES-256 encryption for stored data.

Practical steps for banks and credit unions:

  • Enable BitLocker on all endpoints through Intune device compliance policies
  • Configure Data Loss Prevention (DLP) policies in Microsoft Purview to prevent customer SSNs and account numbers from leaving the organization via email or file sharing
  • Set sensitivity labels for regulated documents so they are encrypted and tracked throughout their lifecycle
  • Verify your core banking vendor's encryption standards. If data transits unencrypted between your network and their systems, that is a finding waiting to happen.

How Does Your IT Framework Measure Up Against NIST CSF 2.0?

The FFIEC CAT is gone. If your framework was built around the old assessment model, gaps are already accumulating.

Get Your Security Grade Talk to an ABT compliance and audit specialist

3. Continuous Monitoring and Threat Detection

Annual penetration tests are not enough anymore. The NIST CSF 2.0 Detect function expects continuous monitoring with automated alerting. For financial institutions, that means real-time visibility into:

  • Sign-in anomalies and impossible travel detections
  • Changes to Conditional Access policies or admin role assignments
  • External sharing of sensitive documents
  • Endpoint compliance drift (devices falling out of compliance with Intune policies)
  • Email authentication failures (SPF, DKIM, DMARC)

Microsoft Defender for Office 365 and Defender for Endpoint provide the detection layer. Microsoft Sentinel can aggregate alerts across your environment. The challenge for community banks and credit unions is having someone watching the dashboard. Alerts that fire into an unmonitored inbox are worse than no alerts at all because examiners will ask to see your response logs.

4. Incident Response and Business Continuity

FFIEC guidance and NCUA Part 748 require documented incident response plans that specifically address cyber events. Examiners want to see three things:

  • A written incident response plan that names roles, escalation procedures, and communication templates
  • Tabletop exercises conducted at least annually, with documented results and corrective actions
  • Backup and recovery testing proving you can restore customer data and resume operations within your stated recovery time objective (RTO)

The common failure point is testing. Many financial institutions have an incident response plan in a binder on a shelf. They have never run it. When examiners ask "When did you last test your IR plan?" the answer cannot be "never."

5. Vendor Risk Management

Banks and credit unions rely on dozens of third-party vendors: core banking platforms, card processors, online banking providers, document management services, and IT providers. Each vendor with access to customer data extends your compliance boundary.

30% of all data breaches in 2025 involved a third-party vendor or supply chain compromise. double the rate from 2021 Source: Verizon 2025 Data Breach Investigations Report

A compliant vendor management program includes:

  • Due diligence questionnaires for every vendor with data access
  • Annual SOC 2 report reviews (or equivalent attestations)
  • Contractual requirements for breach notification timelines
  • Access reviews confirming vendors only reach systems they need

The FFIEC's updated guidance specifically calls out concentration risk. If your core banking system, email, file storage, and security tools all run on the same cloud provider, examiners want to see how you have assessed and mitigated that concentration.

The Cost of Getting It Wrong

Compliance failures at financial institutions carry compounding consequences. The direct costs are measurable. The indirect costs. operational disruption, reputational damage, lost depositors. are harder to quantify but often larger.

$6.08M average total cost of a data breach in financial services. 22% above the global average and the second most expensive industry Source: IBM / Ponemon Institute, Cost of a Data Breach Report, 2024

That $6.08 million figure includes detection, notification, lost business, and post-breach response costs. But for banks and credit unions, the damage extends further:

  • Examination findings require documented remediation plans with deadlines. Your IT team stops building and starts fixing. Operations slow while system changes are tested and deployed.
  • NCUA enforcement for credit unions can include cease-and-desist orders, civil money penalties, and conservatorship in extreme cases. The NCUA's 72-hour reporting requirement means a breach triggers immediate regulatory scrutiny.
  • OCC and FDIC enforcement for banks includes consent orders, civil money penalties, and formal enforcement actions that become public record. visible to customers, competitors, and potential acquirers.
  • Cyber insurance implications. Carriers are tightening underwriting requirements. A failed exam or compliance gap can increase premiums, reduce coverage limits, or trigger policy exclusions that leave the institution exposed.

The average breach lifecycle in financial services is 219 days from intrusion to containment. For community banks and credit unions without mature detection capabilities, the actual lifecycle is likely longer. Organizations using AI-assisted detection reduced that lifecycle by 80 days and saved $1.9 million per breach compared to those without.

The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats. CSF 2.0 is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve.

Laurie E. Locascio, NIST Director, on the release of NIST CSF 2.0
219 days. average breach lifecycle in financial services before detection and containment

How Long Would a Breach Go Undetected in Your Environment?

Organizations with continuous monitoring and AI-assisted detection cut breach lifecycle by 80 days and saved $1.9 million per incident. ABT's security assessment identifies the detection gaps in your M365 tenant.

Get Your Security Grade Talk to an ABT community bank security architect

Building the Evidence Trail Examiners Actually Want

Compliance is not just about having controls. It is about proving they work. The IT framework needs to generate evidence automatically because manual compliance tracking breaks down at scale.

Automated Compliance Reporting

Microsoft 365 compliance tools can generate most of the evidence examiners request. The key reports include:

  • Microsoft Secure Score trending over time (shows continuous improvement, not just point-in-time snapshots)
  • Conditional Access sign-in logs showing MFA enforcement rates and blocked legacy auth attempts
  • DLP policy match reports demonstrating you are catching and blocking sensitive data leaks
  • Device compliance reports from Intune showing encryption status, OS patch levels, and policy adherence
  • Audit logs for admin actions, mailbox access, and SharePoint/OneDrive external sharing

The key is setting up these reports before an exam, not scrambling to pull them when you get the notification letter. Build a monthly compliance dashboard that your CISO or information security officer reviews. That review itself becomes evidence of governance.

Policy Documentation That Passes Muster

Examiners read policies. They compare what the policy says to what the system actually does. The fastest way to fail an exam is having a policy that describes controls you have not implemented.

Write policies that match your actual environment. If your policy says "all endpoints are encrypted" but Intune shows 15% non-compliant devices, that is a finding. Update the policy to reflect reality, then close the gap.

Essential policy documents for financial institutions:

  • Information Security Policy (umbrella document covering all controls)
  • Acceptable Use Policy
  • Incident Response Plan
  • Business Continuity and Disaster Recovery Plan
  • Vendor Management Policy
  • Data Classification and Handling Policy
  • Change Management Policy

Common IT Framework Gaps That Trigger Examination Findings

After working with hundreds of financial institutions on compliance readiness, certain patterns emerge. These gaps show up repeatedly across banks and credit unions of all sizes.

Legacy authentication still enabled. Legacy authentication protocols (POP3, IMAP, SMTP basic auth) bypass MFA entirely. Microsoft has deprecated them, but many tenants still allow them for "that one application" or "that one executive's old email client." Examiners check. Block legacy auth through Conditional Access. No exceptions.

No centralized logging. Workstations generate security events. Your core banking system generates audit logs. Your email system generates sign-in data. If none of it feeds into a centralized view, you cannot demonstrate the continuous monitoring that NIST CSF 2.0 requires. Microsoft Sentinel or a similar SIEM tool centralizes these feeds.

Patch management gaps. FFIEC guidance requires timely patching. "Timely" in practice means critical patches within 14 days, high-severity within 30 days. Intune can enforce Windows Update compliance deadlines. The problem arises with line-of-business applications your core banking vendor patches on their own schedule.

Missing or stale risk assessments. Every compliance framework requires a current risk assessment. "Current" means updated annually at minimum, or whenever significant changes occur (new core banking platform, branch relocation, merger or acquisition). A risk assessment from 2023 will not satisfy a 2026 examiner.

Inadequate training documentation. Staff training on security awareness and compliance is required by GLBA and FFIEC guidance. The gap is usually not the training itself. It is the documentation. Keep completion records, test scores, and training dates in a system you can query when examiners ask.

NIST CSF 2.0 vs. CIS Controls vs. CISA CPGs: Which Framework Fits Your Institution

With the CAT retired, financial institutions must choose a replacement framework. Each option serves a different organizational profile.

DimensionNIST CSF 2.0CIS Controls v8.1CISA CPGs 2.0
Best forMid-to-large institutions with compliance staffSmaller institutions wanting prioritized quick winsInstitutions needing minimal-baseline coverage
Structure6 functions, 22 categories, 106 subcategories18 controls, 153 safeguards in 3 implementation groups37 cross-sector goals + sector-specific additions
Adoption rate (FIs)81% partial or fullWide but less documented9% as primary framework
Examiner recognitionHighest. FFIEC primary recommendationAccepted by most examinersGrowing but newer
Implementation effortHigh. requires mapping to your environmentMedium. prescriptive and actionableLow. designed as floor, not ceiling
Regulatory mappingStrong. maps to FFIEC, GLBA, NCUA, FDICGood. maps to NIST CSF, PCI DSSLimited. newer framework

Most financial institutions will end up with NIST CSF 2.0 as the primary framework, supplemented by CIS Controls for implementation prioritization. The CIS Controls' three implementation groups (IG1, IG2, IG3) provide a natural roadmap: IG1 covers essential cyber hygiene that every institution needs, IG2 adds controls for organizations managing sensitive data, and IG3 covers advanced threats. A community bank or credit union should target IG2 compliance as the baseline.

Whichever framework you choose, document the decision, the rationale, and the mapping to your specific regulatory obligations. Examiners do not require a specific framework. They require a defensible choice backed by evidence.

Why In-House IT Alone Is Not Enough

Community banks and credit unions face a staffing problem. A full compliance program requires expertise in identity management, endpoint security, data protection, incident response, and vendor management. That is five specialties. Most institutions have an IT team of one to three people.

A managed service provider with financial services expertise fills the gap. The right partner brings:

  • Pre-built compliance configurations for Microsoft 365 that map to NIST CSF 2.0 and CIS Controls
  • 24/7 monitoring that your two-person IT team cannot provide
  • Exam preparation support including evidence gathering, policy review, and examiner response coordination
  • Continuous hardening that adapts as Microsoft releases new security features and as regulations change

The cost of a compliance-focused managed service provider is typically less than one additional full-time security engineer. The ROI becomes obvious the first time you pass an exam without findings. For financial institutions navigating the post-CAT framework transition, going beyond Microsoft Secure Score with a managed security program provides the operational context that turns compliance metrics into actual security posture.

A 90-Day IT Framework Hardening Plan

If your current framework has gaps, here is a prioritized 90-day plan to close the most common ones.

Compliant IT Framework Implementation Checklist: 90-day rollout for community banks and credit unions on Microsoft 365. Month 1 Foundation: Conditional Access, Intune enrollment, Purview Audit Premium. Month 2 Defense: Defender for Office 365 Safe Links and Safe Attachments, Defender for Endpoint, Defender for Identity. Month 3 Governance: Purview DLP, sensitivity labels, Microsoft Sentinel playbooks.
The 90-day Compliant IT Framework rollout checklist. Source: Microsoft Learn, FFIEC IT Handbook, NCUA Part 748, 2026.

Days 1-30: Identity and access. Enable MFA for all users including service accounts where possible. Block legacy authentication via Conditional Access. Audit admin role assignments and remove unnecessary privileged access. Implement named Conditional Access policies (not just defaults) for each user group.

Days 31-60: Data protection and monitoring. Enable BitLocker enforcement through Intune compliance policies. Deploy DLP policies targeting SSNs, account numbers, and regulated customer data. Configure Microsoft Defender alerting and assign response owners. Set up centralized audit logging with 90-day minimum retention.

Days 61-90: Documentation and testing. Write or update your Information Security Policy to match actual controls. Conduct a tabletop incident response exercise. Test backup restoration and document RTO/RPO results. Complete vendor risk assessments for your top 10 data-access vendors. Build your monthly compliance dashboard in Power BI or Guardian Security Insights.

Is Your IT Framework Ready for Your Next Examination?

ABT's security assessment for financial institutions evaluates:

  • Framework alignment with NIST CSF 2.0, CIS Controls, or CISA CPGs
  • Identity and access management gaps across your M365 tenant
  • Data protection controls including DLP, encryption, and sensitivity labels
  • Continuous monitoring readiness and examiner evidence documentation
Get Your Security Grade Talk to an ABT compliance and audit specialist

Frequently Asked Questions

The FFIEC retired the CAT on August 31, 2025 and now endorses three alternatives: NIST Cybersecurity Framework 2.0, CISA Cybersecurity Performance Goals, and CIS Controls v8.1. Financial institutions should align with at least one of these frameworks and document their risk assessments against its control categories. Examiners expect to see framework alignment in your next examination cycle.
The NCUA lists cybersecurity as its top 2026 supervisory priority. Federally insured credit unions must establish information security programs under Part 748, report substantial cyber incidents within 72 hours of discovery, and demonstrate to examiners how they identify, measure, monitor, and control risks continuously. The NCUA expects alignment with FFIEC-endorsed frameworks like NIST CSF 2.0 and evidence of ongoing security posture monitoring.
The most common findings include legacy authentication protocols still enabled, missing or stale risk assessments, inadequate patch management documentation, lack of centralized security logging, incomplete vendor risk management programs, and policies that describe controls not actually implemented. Addressing these six areas before an examination eliminates the majority of typical findings for community banks and credit unions.
Financial institutions should update IT risk assessments at least annually and whenever significant changes occur. Significant changes include deploying a new core banking platform, migrating to cloud infrastructure, opening or closing branch locations, completing a merger or acquisition, or experiencing a security incident. A risk assessment older than 12 months will draw examiner scrutiny during any regulatory review.
Most community banks and credit unions should adopt NIST CSF 2.0 as their primary framework, supplemented by CIS Controls for implementation prioritization. NIST CSF 2.0 has the highest examiner recognition and maps directly to FFIEC, GLBA, and NCUA requirements. CIS Controls provide a practical roadmap through three implementation groups, with IG2 serving as the appropriate baseline for institutions managing sensitive customer data. Document your framework choice and the rationale behind it.
Justin Kirsch

Justin Kirsch

CEO, Access Business Technologies

Justin Kirsch has guided financial institutions through compliance framework transitions for over 25 years. from GLBA and SOX to FFIEC cybersecurity assessments and now the post-CAT landscape. As CEO of Access Business Technologies, he builds IT frameworks that pass examinations and protect customer data for 750+ financial institutions across banking, credit unions, and mortgage lending.