DEFENSESTORM BLOG
Wednesday, December 11th, 2024
To prepare for the FFIEC Cybersecurity Assessment Tool sunset date, financial institutions should identify a new framework around which to build their programs and self-assess themselves against that framework using a risk based approach to ascertain that the appropriate level of maturity is reached within various areas.
On August 29, 2024, the FFIEC issued a press release officially announcing the sunset of the Cybersecurity Assessment Tool (CAT). Since its release in June 2015, many financial institutions have leaned on the CAT to shape and grow their programs. Regulatory agencies have also used it as a tool to gauge an intuition’s maturity and preparedness. While expected for quite some time due to new government and industry resources, the news still left many questioning how to move forward ahead of the August 31, 2025, sunset date.
The FFIEC decided to point institutions directly to government resources instead of updating the CAT. The agencies and organizations that maintain these resources keep them up to date in line with new and emerging threats and evolving best practices. The industry was well aware that the CAT was out of date and needed either an overhaul or some guidance that it was no longer relevant, as many institutions felt like the annual exercise had turned into a “check the box” activity that no longer added much value – especially for institutions growing in size and complexity. While outdated, the CAT did offer a clear risk-based approach with the inherent risk questionnaire embedded. Many institutions are questioning how to use other frameworks and self-assessments that don’t have that element. In the post-CAT world, using your risk assessment in tandem with frameworks and self-assessments can and will assist institutions in becoming more cyber risk ready.
One thing to keep in mind is that the NCUA intends to continue using the ACET, which encompasses the CAT. They have stated they intend to keep it industry relevant. However, using the ACET tool is voluntary. Credit unions may also choose to move away from that standard towards a government or industry developed resource.
Choosing a Tool
To prepare for the CAT sunset date, institutions should identify a new framework around which to build their programs and self-assess themselves against that framework using a risk based approach to ascertain that the appropriate level of maturity is reached within various areas.
Neither the FFIEC nor the Agencies endorse a certain tool. However, they do state the importance of using a tool to better address and inform the management of cybersecurity risks. The press release states that whichever tool is used should be used in a way that supports an effective control environment that is commensurate with the risk. It is also important to keep in mind you aren’t restricted to using just one tool. Multiple frameworks can be used to guide your program, and multiple self-assessments can be conducted to gauge your program. These can all be used in conjunction with standards, guidelines, and leading practices to shape your program into one that ensures cyber risk readiness.
Government Resources
NIST CSF 2.0: The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (NIST CSF 2.0) added a new function, Govern, which made the framework more relevant to financial institutions. Govern covers a myriad of concepts familiar to institutions including categories for risk management strategy, roles responsibilities and authorities, policies, and oversight. These banking relevant categories make the framework more user friendly for financial institutions and make the NIST 2.0 one of the most popular choices for institutions as they look to replace the CAT.
The NIST CSF 2.0 can be implemented using their maturity tiers. These four tiers can be used to define a risk-based target posture and measure progress as you work towards the target. Institutions can set a target tier for the framework as a whole or be more granular by setting targets for specific functions or categories. The framework also comes with implementation examples that provide action oriented steps to help translate the intent behind each sub-category.
CISA CPG: The Cybersecurity and Infrastructure Security Agency’s (CISA) is expected to release Cybersecurity Performance Goals (CPG) specific to the Financial Sector in late 2024 which the FFIEC and the agencies agree will be a solid resources for bankers. CISA currently has Cross-Sector CPGs published which are a good reference for what we can expect out of the financial sector version. The goals are clearly laid out including:
The Goals are intended to be a baseline set of cybersecurity practices that can be used as a benchmark to measure and improve cybersecurity maturity.
Industry Developed Resources
CRI Profile: The Cyber Profile is one of the most popular choices for institutions next to the NIST CSF 2.0 mentioned above. While based on NIST, the Profile may have the edge because it is banking specific. The Profile has a very high-level risk assessment built in that puts institutions into one of four buckets depending on their systemic reach should an event occur. These Impact Tiers range from National/Super-National Impact down to Localized Impact. The Profile then guides you through which diagnostic statements are relevant to your tier. For example, some controls may be appropriate for a National/Super-National Impact institutions that wouldn’t be warranted based on the risk of an institution in the Localized Impact Tier. This approach simplifies the process of gauging the appropriate maturity tier. However, it does not replace the need for a risk assessment which we will cover later.
CIS Controls: Center for Internet Security’s Critical Security Controls offers a prioritized set of controls to mitigate the most prevalent cyber-attacks. While more technical in nature, the CIS Controls are widely used and are often used in conjunction with other frameworks like the NIST CSF 2.0. The implementation groups give a simplified approach to maturation with each group building on the last group. The implementation groups give users clear prioritization of controls with IG1 being Essential Cyber Hygiene or “the on ramp” as CIS calls it. Users then progress to IG2 and IG3.
Remember: These tools are not examination programs. Exams will continue to be risk-focused and examiners may address areas not covered by all tools.
Risk Assessment Results Should Drive Your Use of Frameworks
What is missing from many of the tools that was one of the most beloved elements of the CAT is the risk assessment element. None of the tools mentioned above are risk assessments nor do they replace a risk assessment. While the CAT had the inherent risk questionnaire built in, it did not replace the need for a risk assessment either. When adopting a new framework or tool, the risk assessment should be used to assist institutions in deciding the appropriate level of maturity needed in various areas. Ultimately, your program must always be commensurate with your size, complexity, and risk profile.
Let’s consider the NIST CSF’s maturity tiers as an example. These four tiers can be used to define a target and measure progress as you work towards the risk-based target maturity tier. Your risk assessment should be used to identify your target maturity tier. Some areas may warrant more maturity than others based on your unique risk profile.
While the CRI Profile does have a high-level assessment built in, it doesn’t replace the need for a risk assessment. It simplifies how you gauge your appropriate maturity tier which is valuable. However, institutions may still be required to reach beyond their tier depending on their risk profile. The risk assessment results should still be used when evaluating what diagnostic statements are appropriate for your institution.
Building Your Program Off a Framework(s) and Conducting Self-Assessments
The difference between a framework and self-assessment is subtle but important to remember.
A framework is a set of standard guidelines and best practices intended to be used as a reference when building out your program. When aligning to a framework, you are essentially saying that your program is built off a certain standard – i.e. NIST CSF 2.0.
A self-assessment is an exercise during which an institution evaluates its practices and posture against a chosen framework or standard.
You can both use the NIST CSF 2.0 as a framework and conduct a self-assessment against your use of NIST CSF 2.0 to assess your posture. The NIST CSF 2.0 is built to do this using their Tiers – you can also reference their implementation examples to drive a self-assessment. When using The Cyber Profile, the descriptions and suggested evidence can guide the self-assessment.
Regardless of which framework is used, the agencies are expecting institutions to self-assess against this framework on an ongoing basis as that is how the CAT was designed to be used.
Implementing a New Framework
When transitioning to a new framework, you may be uncertain as to whether you check all its boxes and how examiners may view that. Overall, the point is to use the framework as a guiding light towards maturation. Depending on size, complexity, and risk profile, the expectation may not be fully adhered out of the gate. Instead, the expectation is that the institution forms an understanding of where they aren’t aligned and creates plans around how to align over time with a focus on areas of higher risk.
When conducting a self-assessment, document where you fall short and why. Is it because your risk profile doesn’t warrant a specific control be in place? Or is it something you should have in place but haven’t implemented yet? If it is something you need, create plans towards remediating the shortcomings. The output of the self-assessment should essentially be a GAP Analysis –
Think of your framework as the destination and the output of the self-assessment as your directions for getting there. There is no one right way. However, the examiners will expect to see you’ve put thought into your cybersecurity strategy and you’re relying on an accepted standard to do so.
Remember, this exercise isn’t just for your examiners. The output of a self-assessment is a valuable tool to present to the board or governing committee when discussing resource allocation. Engage the governing body with your decision on which framework and why. Once decided on, show them where you stand against it and what needs to be done to improve. Educate them on the purpose – we are selecting this framework because we believe it is the right one for our institution. We aren’t selecting it because we checked all the boxes today, but because it is a good roadmap for where we should be. Then, report back on progress as you march towards your goals.
The sunset of the CAT marks a pivotal moment for financial institutions to evolve and mature their cyber risk management strategies. As we move forward, embracing new frameworks that offer robust control systems tailored to address the complexities of today’s cyber threat landscape is crucial. By adopting government and industry resources, taking a risk-based approach, and continually self-assessing, institutions can not only comply with regulatory requirements, but also fortify their defenses against emerging threats. With the right tools and commitment to continuous improvement, financial institutions can turn this transition into an opportunity for growth.