Understanding Credentialed Vulnerability Assessments for Federally Regulated Financial Institutions

Overview

As a federally regulated financial institution, your institution is subject to ongoing examination and oversight. A core component of your information security program is identifying and addressing vulnerabilities across your environment.  Not all vulnerability assessments provide the same level of insight. Relying solely on limited or non-independent testing can leave critical gaps in visibility and create a false sense of security.

This document explains those differences, why credentialed assessments provide a more complete view of your security posture, and how regulatory guidance supports the need for independent testing to validate the effectiveness of your controls.

What Is a Vulnerability Assessment?

A vulnerability assessment (VA) is a systematic review of your network, systems, and devices to identify security weaknesses. These weaknesses may include missing patches, software misconfigurations, outdated or unsupported software, and other factors that could be exploited by a threat actor. Vulnerability assessments can be performed from different perspectives, including external (unauthenticated) and internal (authenticated) approaches, each providing a different level of visibility into the environment.  Vulnerability assessments are a foundational element of any sound information security program.

Credentialed vs. Uncredentialed Assessments

Vulnerability assessments are typically performed in one of two ways: credentialed (authenticated) or uncredentialed (unauthenticated). The distinction is significant, as it directly impacts the depth, accuracy, and reliability of the results.

An uncredentialed scan is not without value — it shows what an external attacker might see. However, it is not a substitute for a credentialed assessment. Without authenticated access, a significant number of vulnerabilities will go undetected, leaving the institution with an incomplete understanding of its risk.  For this reason, credentialed assessments are expected as part of a mature vulnerability management program, particularly when validating the effectiveness of internal controls.

The Importance of Independent Testing

If your institution outsources the management of its IT infrastructure to a managed service provider (MSP), it is important to understand the distinction between assessments performed by the MSP and assessments performed by an independent third party.

An MSP that hosts and manages your network environment is not an independent party. Any vulnerability assessment the MSP performs on your infrastructure is, in effect, a self-assessment of their own work. While self-assessments support ongoing operations, they do not meet the standard for independent testing. An independent assessment provides an unbiased evaluation of the controls and security posture of your environment — including the work performed by the MSP.

Your institution should ensure that independent vulnerability assessments are part of your information security program, and that your contract with any MSP includes provisions allowing for independent testing of the managed environment.

Regulatory Guidance

The following regulatory references support the need for thorough, independent vulnerability assessments at federally regulated financial institutions:

FFIEC IT Examination Handbook — Information Security Booklet

The FFIEC Information Security Booklet explicitly addresses the need for independence in testing and audit activities, stating that assessments should be conducted by parties that are independent of the function being evaluated. This is to ensure objectivity and eliminate conflicts of interest in the evaluation of security controls.

In practice, this means that a managed service provider responsible for administering and securing an environment cannot serve as the sole source of assurance over those same controls. This creates a conflict of interest and does not meet the intent of independent testing as described by FFIEC guidance. Independent vulnerability assessments provide the necessary separation to validate whether controls are functioning as intended.

Reference: https://ithandbook.ffiec.gov/it-booklets/information-security/iv-information-security-program-effectiveness/iva-assurance-and-testing/iva3-independence-of-tests-and-audits/

FFIEC — Oversight of Third-Party Service Providers

FFIEC guidance on third-party oversight makes clear that financial institutions retain full responsibility for the security of outsourced systems and services. Institutions are expected to verify that service providers implement appropriate controls and effectively mitigate risk.

Importantly, this guidance also emphasizes that contracts should provide the institution, or an independent party acting on its behalf, the ability to perform evaluations of the service provider’s environment. This reinforces that reliance on a provider’s internal assessments alone is not sufficient.

This means institutions should ensure they have both the contractual right and the operational ability to conduct independent testing of environments managed by third-party providers.

Reference: https://ithandbook.ffiec.gov/it-booklets/information-security/ii-information-security-program-management/iic-risk-mitigation/iic20-oversight-of-third-party-service-providers

FDIC — Technology Service Provider Contracts (FIL-19-2019)

FDIC guidance on technology service provider contracts reinforces that financial institutions remain responsible for the security of outsourced systems and must maintain the ability to assess and monitor those environments. This includes ensuring contractual provisions allow for independent evaluation of security controls.

Reference: https://www.fdic.gov/news/financial-institution-letters/2019/fil19019.html

FFIEC Joint Statement — Risk Management for Cloud Computing

The FFIEC joint statement on cloud computing makes clear that institutions should not assume that security controls are effective simply because systems are operated by a third-party provider. Instead, management is expected to validate those controls through assurance activities such as independent audits, penetration tests, and vulnerability assessments.

Reference: https://www.fdic.gov/news/financial-institution-letters/2020/fil20052a.pdf
 

Key Takeaways

1. Your institution is a regulated entity. The decision to conduct a credentialed vulnerability assessment is yours to make. This decision should be driven by your institution's risk management program, not by the preferences of a service provider.
2. Uncredentialed scans are not a substitute for credentialed scans. While uncredentialed scans provide value, they cannot detect the full scope of vulnerabilities within your environment. A credentialed scan is necessary for a complete and accurate assessment.
3. Independent testing matters. If your infrastructure is managed by a third party, assessments performed by that same third party are not independent. Your institution should ensure and verify that independent assessments are part of your security program.
4. Review your contracts. Your agreement with any managed service provider should include provisions that allow your institution to conduct or authorize independent testing of the managed environment. If these provisions are not present, this represents a control gap that should be addressed.
5. Regulatory examiners will hold the institution accountable. Your examiner will evaluate the adequacy of your vulnerability management program. Demonstrating that your institution conducts thorough, independent, credentialed assessments strengthens your position during examination.

If you have any questions about this document or would like to discuss scheduling a credentialed vulnerability assessment for your institution, please do not hesitate to reach out. We are here to help you meet your regulatory obligations and strengthen your security posture.