So, what's really happening with the ACET?
- Daniela Parker
- Sep 23
- 3 min read
First, let's clear things up. The NCUA still officially supports the ACET, but the Cybersecurity Assessment Tool (CAT) it was built on was sunset at the end of August 2025.
So why the change? Simply put, the ACET couldn’t keep up. When it was introduced in 2015, it served a purpose, but it quickly became an "enormous beast" that was difficult to untangle. Meanwhile, other frameworks kept adapting to modern threats like cyber supply chain risks—things the ACET just doesn’t address very well.
Pro Tip: While you might get away with using the ACET for one more exam cycle, don’t count on it. The writing is on the wall. The NCUA’s heart doesn't seem to be in it anymore, and the expectation is that you will move to a more modern framework.
Your Top 3 Framework Options
The good news is that you have excellent, well-supported options to choose from. The FFIEC provides guidance on three main contenders.
NIST Cybersecurity Framework (CSF): Tom described this as the framework "written by government for government," covering multiple industries. It’s flexible and aligns well with new examiner guidelines, especially around governance.
CRI Cybersecurity Profile: This is a non-profit, open-source product based on the NIST framework, but it has been specifically "adjusted and tuned for…financial services". This makes the questions much more relevant to the work we do every day.
CIS Framework: This is the biggest and broadest of the three options. It's more prescriptive, meaning it focuses more on the "how" of implementing controls, whereas NIST and CRI focus more on the "what".
Pro Tip: Tom made a great point that while you can't go wrong with any of them, the CRI Profile is an excellent choice for credit unions because it's built specifically for our world.
Making the Transition: A Practical Game Plan
Moving on from years of ACET data can feel daunting, especially if you have years of trend analysis built up. But Tom’s advice was refreshingly direct.
1. Rip the Band-Aid Off: Don’t overthink it. Tom argued that the initial effort to adopt one of the new frameworks is much smaller than the first time you completed the ACET. The questions are clearer and more descriptive, making the process less confusing. Just pick one and get it done.
2. Avoid the Biggest Mistake: The worst thing you can do right now is nothing. Sticking with the ACET might feel safe, but you'll be falling behind. As Tom put it, "the penalty for waiting is much bigger than thinking you chose poorly".
This is a Golden Opportunity for InfoSec
I made this point during the podcast because I think it’s so important: this isn't just a compliance exercise; it's a strategic opportunity.
For years, many have viewed InfoSec as just "firewall stuff". Now, you have a perfect reason to re-engage with your leadership and the rest of the organization about what cybersecurity really means today.
Pro Tip: Use this framework transition as a catalyst for bigger conversations. Talk about the risks the ACET never covered, like AI, Zero Trust Architecture, and the massive increase in third-party vendors. Tom gave a brilliant analogy of building a multi-million dollar perimeter around your castle, only to stand on the wall and throw documents over the side to an AI, saying, "hey, can somebody edit this for me?". That’s the risk we face, and these new frameworks help us address it.
Final Thoughts!
The world we operate in is a "complex system," not just a complicated one. Things are constantly changing, and threat actors are always adapting. Our cybersecurity approach must be just as adaptable. The ACET wasn’t, and that’s why we’re moving on.
So, here’s your final takeaway:
Pick one, commit, be accurate, be transparent, and just keep moving forward.
To hear the full, in-depth conversation with Tom Costello, be sure to check out the latest episode of the ByteWise Podcast!
Comments