The sunset of the FFIEC Cybersecurity Assessment applies to all FDIC-supervised financial institutions. 

Per FFIEC guidance, financial institutions should use guidelines and direction established in the NIST CSF 2.0 framework. The following is a list of publications that will be used in the scope of this project: 

• NIST Cybersecurity Framework (CSF) 2.0, Publish Date:  February 26, 2024 

• NIST CSF 2.0 Community Profiles 

• NIST SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile  

• CRI Profile for the Financial Sector – Cyber Risk Institute 

• Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPG) – CISA is in the process of updating its CPGs to NIST CSF 2.0 

CISA’s Cybersecurity Performance Goals (CPGs) are a subset of NIST CSF cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary CPGs strive to help small and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. 

The CPGs are intended to be: 

• A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value.    

• A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity.    

• A combination of recommended practices for information technology and operational technology owners, including a prioritized set of security practices.    

Unique from other control frameworks as they consider the practices that address risk to individual entities and the aggregate risk to the nation.