Preparing for FFIEC CAT Sunset: Key Takeaways for Financial Institutions

The Federal Financial Institutions Examination Council (FFIEC) has announced that it will phase out its Cybersecurity Assessment Tool (CAT) by August 31, 2025. Introduced in June 2015, the CAT was designed to help financial institutions understand their cybersecurity risks and readiness. Although the security measures in the CAT are still reliable, there are now newer and better government and industry tools available for managing cybersecurity compliance. As a result, the FFIEC will remove the CAT from its website and has decided not to update it with new government resources.

With all the upcoming changes, we wanted to highlight what the FFIEC is recommending, how you can prepare, and the next best steps to ensure your cybersecurity program continues to improve while staying aligned with regulatory best practices.

FFIEC Recommendations 

The FFIEC is encouraging financial institutions to use updated frameworks like the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals. CISA released goals for different sectors in 2023 and will introduce specific goals for the financial sector soon. These resources are part of a government-wide effort to help organizations of all sizes manage and reduce cybersecurity risks. The FFIEC plans to talk about these new tools in a webinar for bankers this fall.

Financial institutions are also encouraged to consider using industry-developed resources, such as the CRI’s Cyber Profile and the Center for Internet Security's Critical Security Controls. These tools can be combined with other frameworks, standards, and best practices to better address their cybersecurity posture. While the FFIEC does not endorse any specific tools, it emphasizes the importance of using those that support a strong and effective control environment suitable for the institution's level of risk. As cybersecurity changes, examiners may need to focus on areas not covered by all tools, following a risk-based approach to evaluations.

NCUA and FDIC Examiner Advice 

At Rivial, we gain valuable insights into emerging trends from examiners while supporting our clients during their exams. In the credit union space, we've noticed examiners frequently recommending that clients avoid using their new ISE tool, as well as emphasizing that the ACET (CAT) is optional, and advising credit unions to choose an internal framework. Similarly, examiners have suggested to banks that the CAT is optional and that they should select an internal framework to align to as well. We've found that the CIS and NIST CSF 2.0 frameworks are excellent fits for financial institutions, aligning closely with examiner requirements and examination tools.

How to Prepare:

1.) Choose a Core Framework to Align With

Start by reviewing the control framework options mentioned above and selecting the one that best suits your organization’s size and maturity level. NIST CSF 2.0 includes around 100 controls, while the CIS framework offers three different implementation groups to choose from. Both frameworks have been highly effective for financial institutions. The CRI Profile, which is based on NIST, is also a great option for financial institutions.

2.) Perform an Initial Assessment

Gather the appropriate stakeholders and use your control answers from the CAT tool to conduct an initial gap analysis. This will help you estimate your compliance with the new framework. Keep in mind that this is just a rough estimate; you'll need to collect and review evidence to make a definitive implementation decision. 

3.) Map the Framework to the Required Evidence 

To validate your controls and prepare for audits, map your chosen framework to the required evidence items that prove these controls are in place. You can do this in a spreadsheet, a project management tool, or use the Rivial platform, where frameworks are pre-mapped. By mapping the same evidence to other frameworks such as PCI, FedLine, NCUA ISE, and FDIC InTREx, you can gather evidence once and can be assured of compliance across multiple frameworks. 

4.) Assign Evidence to Designated Owners 

Once your framework is mapped to the evidence, assign each evidence item to the person responsible for managing that security aspect. For example, if the evidence item is a screenshot of the anti-virus configuration, assign it to the person responsible for managing and implementing the anti-virus software. 

5.) Periodically Gather and Validate Evidence 

Financial institutions often face last-minute stress when preparing for audits. To avoid this, regularly gather the required evidence throughout the year. This proactive approach ensures you are in compliance with each control in your chosen framework and gives you time to make adjustments. This way, you’ll be prepared when a surprise audit occurs.

6.) Review Evidence and Create Action Plans

As evidence is gathered, review it to determine if you meet each control’s requirements. This step allows you to create remediation and action plans for any controls that aren't adequately implemented, well before your audit. This preparation helps prevent unexpected findings during an audit.

7.) Report and Manage Progress

Regularly report your progress and compliance status to your risk/audit committee and Board of Directors. Share updates on your compliance with the framework you're tracking, as well as progress on any control action plans. Key areas to report include current compliance, changes in compliance over specific periods of time, and the status of your remediation plans.

Optimize Your Compliance Approach

At Rivial, we have pre-mapped key control frameworks such as FFIEC CAT, NIST CSF 2.0, CIS Top 18, PCI, ACET, NCUA ISE, CRI Profile, and many others to the required evidence within our Platform. Switching frameworks is as simple as selecting the new framework that you want - the evidence is already mapped and gathered - which eliminates 80% of the time and effort required to switch frameworks. If you'd like to see this in action or simplify your transition, schedule a time with us below.