FFIEC CAT Is Ending: How Banks Can Transition

In a significant move, the Federal Financial Institutions Examination Council (FFIEC) announced the sunsetting of its Cybersecurity Assessment Tool (CAT) effective August 31, 2025. This decision marks the end of an era for a tool that has been instrumental in helping financial institutions identify cybersecurity risks and measure preparedness since its release in June 2015 and update in 2017.

The tool’s phase-out signals a shift to more modern cybersecurity frameworks. Financial institutions need to proactively adopt new tools and have a transition plan ready before August 31.

Why is the FFIEC CAT being phased out?

The FFIEC decided not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Instead, the FFIEC encourages financial institutions to leverage new and updated government and industry resources to better manage cybersecurity risks.

Recommended FFIEC CAT frameworks

As the FFIEC CAT phases out, banks can adopt tools from various frameworks to replace it. They include:

National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0

The NIST Cybersecurity Framework 2.0, released in 2024, is an updated version of the original framework designed to help organizations manage and reduce cybersecurity risk. It provides a set of industry standards and practices to help organizations build and improve their cybersecurity posture.

The framework is composed of six core functions: govern, identify, protect, detect, respond, and recover. These functions work together to provide a strategic approach to managing cybersecurity risk.

Version 2.0 includes new guidance on governance, including supply chain risk management, and enhanced focus on measurement and assessment. The NIST Cybersecurity Framework 2.0 aims to be flexible and adaptable, making it applicable to organizations of all sizes and sectors.

Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals

Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs) are a set of baseline cybersecurity practices applicable across all critical infrastructure sectors. These goals outline high-impact security actions organizations of all sizes and industries can implement to protect themselves against cyber threats and improve resilience.

The CPGs are divided into five core functions — identify, protect, detect, respond, and recover — available as cross-sector and sector-specific goals. Sector Specific Goals (SSGs) for the financial services industry should be available winter 2025.

Cyber Risk Institute (CRI) Cyber Profile 2.0

The Cyber Risk Institute (CRI) Cyber Profile 2.0 is a standard for cybersecurity risk assessment in the financial services sector. Based on the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity and in alignment with NIST Cybersecurity Framework 2.0, the CRI profile offers an efficient approach to cybersecurity risk management.

The CRI profile includes a maturity model assessment for peer benchmarking and is designed to counter dynamic and evolving threats. The CRI profile is divided into seven core functions — govern, identify, protect, detect, respond, recover, and extend — which meet the regulatory expectations for the financial services sector.

The CRI profile includes specific guidance on controls, assessment methods and sample evidence, with additional mappings to authoritative sources in a separate catalog, enhancing its utility without changing the core functions, categories, subcategories, or diagnostic statements.

Center for Internet Security (CIS) Critical Controls Version 8

The Center for Internet Security (CIS) Critical Controls Version 8 is a set of prioritized cybersecurity defense controls and safeguards designed to protect against the most prevalent cyberattacks on systems and networks. These controls are mapped to and referenced by multiple legal, regulatory, and policy frameworks.

The latest version has been enhanced to keep up with modern systems and software, including cloud-based computing, virtualization, mobility, outsourcing, and work-from-home environments. The framework includes additional resources, such as the CIS Risk Assessment Methodology and the CIS Community Defense Model, to better help institutions prioritize which strategies to use against common threats and attack methods.