DEFENSESTORM BLOG
Wednesday, September 11th, 2024
The Federal Financial Institutions Examination Council (FFIEC) released important information surrounding the commonly used Cybersecurity Assessment Tool (CAT).
In the release, the FFIEC announced that there will be no further updates to the CAT despite new government resources such as the National Institute of Standards and Technology Cyber Security Framework (NIST CSF 2.0) and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. On August 31, 2025, the CAT will be removed from its website. The decision to sunset this assessment tool comes after much consideration, and the determination that new and updated government and industry resources are available for institutions to leverage in order to better manage its cybersecurity risks.
In the FFIEC’s sunset statement, the council outlined that supervised financial institutions can refer directly to two government resources that will be covered in a banker webinar this Fall:
In addition to these resources, the FFIEC mentions industry developed tools such as the Cyber Risk Institute’s Cyber Profile and the Center for Internet Security Critical Security Controls.
Ultimately, the FFIEC does not endorse any particular tool. The goal of using any self-assessment tool is to support an effective control environment commensurate with the institution’s risk profile. These tools can and should be used in conjunction with other resources, such as frameworks and guidelines, to better inform the continuous evolution of institutions’ cyber risk management programs.
It is important to understand that just as the use of the CAT was voluntary, the use of any framework or tool is voluntary. These tools do not serve as examination programs, and your examiners will continue to take a risk-based approach to exams. The FFIEC states that as cyber risk evolves, examiners may address areas not covered by all tools.
To read the entire FFIEC Cybersecurity Assessment Tool (CAT) Sunset Statement, please refer to the FFIEC Announcement from August 29, 2024
NIST CSF 2.0
NIST’s Cybersecurity Framework (CSF) is designed to help institutions of all sizes and sophistication levels manage and reduce their unique cybersecurity risks. Originally released in 2014, significant enhancements were made to the NIST framework in March 2024 that provides new guidance to aid institutions in managing their cybersecurity risk – including the addition of the Govern function.
NIST’s CSF 2.0 offers high-level outcomes relevant to all financial institutions regardless of size, complexity, or risk appetite, establishing a solid foundation for maintaining and ensuring cyber risk readiness. With the release of NIST 2.0, the guidance expands the practice and controls that institutions can use to best understand, assess, prioritize, and communicate cybersecurity efforts.
To read about what’s new in NIST CSF 2.0, and to learn about implementing the framework, please refer to the New Guidance for Managing Cybersecurity Risks with NIST CSF 2.0 Insights post from earlier this year.
Additionally, DefenseStorm’s Jessica Caballero covered NIST CSF 2.0 extensively in a recent webinar, detailing the enhancements and impact to financial institutions.
CISA Cybersecurity Performance Goals
CISA released CrossSector Cybersecurity Performance Goals in 2023 and is currently preparing to release Cybersecurity Performance Goals for the Financial Sector later in 2024. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.
Cyber Profile
The Cyber Risk Institute created the Cyber Profile which was developed by and for the financial sector. The Profile is based on NIST’s “Framework for Improving Critical Infrastructure Cybersecurity”. The Cyber Risk Institute states their profile is “an efficient approach to cybersecurity risk management that effectively counters the dynamic, evolving threat and provides adequate assurance to government supervisors.”
Cyber Risk Readiness with DefenseStorm
To ensure that your institution is equipped to monitor, manage, and reduce its unique cybersecurity risks, NIST CSF 2.0 has been integrated as frameworks with mappings to activities within GRID Active Threat Surveillance, Fraud Detection, Governance Program, and Risk Assessment. In light of this news, DefenseStorm will be implementing the CISA Cybersecurity Performance Goals and the Cyber Profile as a frameworks in the near future. This further builds on our built for banking philosophy and ensures that your institution is cyber risk ready in the battle against emerging and existing threats in an evolving landscape.