FFIEC CAT tool replacement with NIST CSF 2.0

NIST CSF 2.0

The Federal Financial Institutions Examination Council (FFIEC) has announced that the Cybersecurity Assessment Tool (CAT) will be retired on August 31, 2025. The CAT was initially released in June 2015 as a voluntary tool to help financial institutions identify their risks and determine their cybersecurity preparedness. However, with the advent of new and updated government and industry resources, financial institutions now have better tools to manage cybersecurity risks. 

In recent years and going forward, one of the key resources that financial institutions can leverage is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0. The NIST CSF 2.0 was introduced on February 26, 2024, and provides a comprehensive framework for managing and reducing cybersecurity risks. It aligns with governmental agencies’ approach to improving security and resilience. The framework is designed to be flexible and can be used by organizations of all sizes and sectors. Since its release, NIST CST has been adopted by various private companies across different industries, becoming a de facto standard for many cybersecurity professionals. 

How does NIST compare? 

The NIST CSF 2.0 offers several benefits over the retired CAT tool. It is more updated, having been released just this year, which ensures that financial institutions are better equipped to handle the evolving cyber threat landscape. Secondly, the NIST CSF 2.0 is more comprehensive and covers a wider range of cybersecurity controls, such as governance and third-party risk management. This allows financial institutions to have a more holistic view of their cybersecurity posture, leading to better overall cybersecurity maturity. 

Another advantage of the NIST CSF 2.0 is that it is supported by other government resources, such as the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. These resources provide additional guidance and best practices for managing cybersecurity risks. Financial institutions can use these resources in conjunction with the NIST CSF 2.0 to enhance their cybersecurity programs. 

In addition to government resources, financial institutions can also consider using industry-developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile and the Center for Internet Security Critical Security Controls. These tools can also be used alongside the NIST CSF 2.0 to provide a more robust cybersecurity assessment. 

Financial institutions should ensure that any self-assessment tools they use are effective and commensurate with their risk. While the FFIEC does not endorse any particular tool, it acknowledges that standardized tools like the NIST CSF 2.0 can assist financial institutions in their self-assessment activities. These tools are not examination programs, like an institution could get from engaging a third-party cybersecurity advisor or consultant, but they can help financial institutions identify areas for improvement and enhance their cybersecurity posture. 

Retiring CAT marks a positive shift 

The cyber world of today has changed significantly since the FFIEC team of 2015, when the CAT was introduced. The retirement of the CAT tool is a sign of progress towards more modern and comprehensive cybersecurity assessment tools. The NIST CSF 2.0, along with other government and industry resources, provides financial institutions with the necessary tools to manage and reduce cybersecurity risks effectively. By leveraging these resources, financial institutions can ensure that they are better prepared to handle the evolving cyber threat landscape and protect their critical assets. 

There are many new factors to consider. Many financial institutions opt for partnering with a third-party cybersecurity advisor to ensure their first NIST CSF 2.0 assessment is accurate, comprehensive, and translates to actionable takeaways to improve their cybersecurity posture. If you are considering external support, make sure the provider has experience with NIST 1.1 and the new NIST CFS 2.0, as well as knowledge of cybersecurity in the banking and financial services industry. Adopting the new framework demonstrates your institution’s commitment to security and safety of your customers, employees, and organization. 

For more information or if you have questions about the new NIST CFS 2.0, please contact Pawel Wilczynski. 

BNN’s Information Systems & Risk Assurance practice offers a suite of cybersecurity and risk assessment services and can assist financial institutions of all sizes establish and maintain security and compliance in their IT environments. Get in touch with a member of our team to discuss what service or customized package could help you achieve your goals. 

Learn More

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.