The Federal Financial Institutions Examination Council (FFIEC) issued a statement to communicate the August 31, 2025, sunset of the FFIEC Cybersecurity Assessment Tool (CAT).
Highlights:
The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness.
While fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.
The FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals.
The FFIEC will remove the CAT from its website on August 31, 2025.
FDIC-supervised financial institutions may consider the use of industry-developed resources to assist in self-assessment activities.
These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.
Per FFIEC guidance, financial institutions should use guidelines and direction established in the NIST CSF 2.0 framework. The following is a list of publications that will be used in the scope of this project:
- NIST Cybersecurity Framework (CSF) 2.0, Publish Date: February 26, 2024
- NIST CSF 2.0 Community Profiles
- NIST SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile
- CRI Profile for the Financial Sector – Cyber Risk Institute
- Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPG) – CISA is in the process of updating its CPGs to NIST CSF 2.0
