As your community bank prepares for the discontinuation of the FFIEC’s Cybersecurity Assessment Tool (CAT) in August 2025, it is important to consider an established approach for managing your cybersecurity risks. This article provides you with a comparison of alternative frameworks, outlines key criteria for aligning a replacement with your unique risk profiles, and shares best practices for transitioning to your selected framework.
Background
The current CAT was originally released by the FFIEC in 2015 and subsequently modified in 2017. Since then, all U.S. federal banking regulators have encouraged their supervised institutions to complete the assessment annually. In August 2024, the FFIEC announced that it would discontinue support for the CAT, removing it from its website effective August 31, 2025. The FFIEC cited the availability of new and updated government and industry resources that financial institutions can leverage to more effectively manage cybersecurity risks.
The FFIEC referenced several alternative resources:
- Government resources:
- NIST Cybersecurity Framework (CSF) v2.0
- Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPGs)
- Industry resources:
- Cyber Risk Institute (CRI) Cyber Profile v2.0
- Center for Internet Security (CIS) Critical Security Controls
While the FFIEC is not endorsing any specific tool or framework, institutions [1] are encouraged to adopt established, standards-based approaches aligned with their risk profile and control environment. Institutions opting for custom-built frameworks may attract unnecessary regulatory scrutiny.
Alternatives
| Framework | Description | Standards-Based? | Financial Industry Specific? |
|---|---|---|---|
| NIST Cybersecurity Framework (CSF) 2.0 | De facto standard cybersecurity framework. | Yes | No |
| CISA Cybersecurity Performance Goals (CPGs) | Applicable to critical infrastructure entities. Based on NIST CSF 1.0 with the addition of the Governance function. | Yes (NIST v1.0) | No* |
| CRI Cyber Profile 2.0 | Based on NIST CSF 2.0 with an additional Extend function and financial industry–specific subcategories. | Yes (NIST v2.0) | Yes |
| Center for Internet Security (CIS) Critical Security Controls | Set of controls and best practices with multi‑standard mappings, including future financial industry standards. | Yes (NIST v2.0) | No |
Summary
For financial institutions, the ideal replacement for the FFIEC CAT should:
- Be based on a widely recognized cybersecurity framework (e.g., NIST CSF),
- Be maintained and regularly updated by a committed and reputable organization
- Address the specific challenges, regulatory expectations, and risk profiles of the financial industry
- Enable structured assessment, tracking, and reporting of cybersecurity posture, including assessment-to-assessment comparison reports
- Allow for customization to meet the unique needs of individual institutions
Also, consider partnering with subject matter experts to assist with the completion of the assessment and the interpretation of the assessment results.
Regardless of the selected framework, users should:
- Treat the new assessment model with fresh eyes: Use results to identify control gaps and define a roadmap toward your target cybersecurity maturity.
- Ensure reporting capability: Select a framework or tool that enables the production of clear, comprehensive reports for stakeholders, examiners, and the board.
- Expect ongoing updates: Choose frameworks supported by organizations committed to updating content to reflect evolving cyber threats and best practices.
- Prioritize flexibility: Institutions should be able to tailor the framework to their specific size, complexity, and risk profile.
- Be mindful of the transition process: The new framework should facilitate the mapping of your previous CAT assessment responses to the new framework to maintain assessment consistency, reduce duplication, and ease the transition.
Next Steps
- Select a preferred alternative and develop a transition plan in advance of the CAT retirement in August 2025.
- Engage internal stakeholders (e.g., IT, compliance, risk management, and internal audit) to evaluate tool fit and implementation requirements.
- Transition to the framework and conduct a gap analysis comparing your most recent CAT assessment results with the results of your chosen framework.
- Document framework choice rationale and communicate changes to your examiners and board of directors to demonstrate that you’ve implemented a risk-based, coordinated, and well-governed approach.
As your community bank navigates away from the FFIEC CAT, embracing a standards-based cybersecurity framework will bolster your efforts to manage cyber risks while maintaining regulatory compliance. By taking proactive steps to select and implement the right framework, you can ensure that your cybersecurity strategy remains robust, aligned with industry standards, and responsive to evolving threats.
