Replacing the FFIEC CAT: What do we do after CAT's nine lives are expired?

Introduction

For a decade, the FFIEC CAT served as the cornerstone of cybersecurity risk assessment for financial institutions across the United States. Released in 2015, CAT helped banks, credit unions, and other depository institutions assess their cybersecurity preparedness, align their security posture with the industry's best practices, and demonstrate compliance during regulatory examinations. However, as the digital threat landscape has evolved, more adaptive, comprehensive, and forward-looking cybersecurity frameworks are needed to meet the needs of institutions of varying sizes.

In 2024, the FFIEC announced it would formally retire the CAT on August 31, 2025, and remove it from its website. The decision reflects a broader shift across financial regulatory agencies to promote modern, flexible frameworks such as the CSF 2.0 and CISA’s CPGs. Institutions are strongly encouraged to begin transitioning now, as continued reliance on the CAT will no longer meet regulatory expectations post-2025.

This transition marks a pivotal moment for institutions to reassess their cybersecurity strategies and ensure they are aligned with emerging risks, regulatory expectations, and industry best practices.

This insight provides an overview of the shift from CAT to NIST CSF 2.0 and outlines the steps institutions should take now as they navigate the change effectively.

Why is the FFIEC sunsetting its CAT?

When the CAT was first introduced, it provided financial institutions with a practical, easy-to-use tool to measure their cybersecurity preparedness. The tool translated complex cybersecurity concepts into accessible language and helped institutions benchmark their risk exposure and control maturity.

Over time, however, CAT's limitations became increasingly apparent:

• Stagnation: CAT has not received significant updates since its initial release, while cyber threats and technology have advanced considerably.

• Rigid structure: The tool's static design does not easily accommodate the fluid and rapidly evolving nature of cyber risks and the varying sizes of institutions.

• Lack of flexibility: CAT focused heavily on assessment rather than implementing and improving controls, offering limited guidance on enhancing cybersecurity capabilities beyond the evaluation itself.

The FFIEC emphasized that although CAT was helpful, it had become inadequate due to lack of updates and limited scope, particularly in areas such as supply chain risk, governance, and continuous monitoring. With tools like NIST CSF 2.0 providing broader and more detailed coverage, the FFIEC has opted not to revise CAT but rather encourage adoption of newer, more adaptable tools.  

What tool do we use now?  

Financial institutions still need to assess their institution's cybersecurity preparedness. The CISA offers Cross-Sector CPGs, which are particularly useful for smaller institutions seeking a simplified, high-impact set of priorities. Sector-specific financial services CPGs are expected in 2025. The CRI Profile provides a structured, financial-sector-specific tool aligned with NIST CSF, and offers a mapping from FFIEC CAT for easier transition. The CIS Critical Security Controls (CIS Controls v8) can be used to implement technical controls aligned with NIST outcomes.

In its statement announcing the change, the FFIEC noted that it did not endorse any particular tool; however, in our opinion, the NIST CSF 2.0 provides the broadest coverage and flexibility.

The NIST CSF framework was first released in 2014 and recently updated to version 2.0 in February 2024. Unlike the CAT, the NIST CSF offers a more comprehensive and flexible framework for managing cybersecurity risks. It emphasizes continuous improvement and scalability for organizations of all sizes and complexities. The NIST CSF's iterative, risk-based approach enables financial institutions to continuously assess and enhance their cybersecurity posture in response to evolving threats and technologies—an adaptability not offered by the CAT.

‍

‍

The six core functions of NIST CSF 2.0:

• Govern – Establish organizational context, risk management strategy, and cybersecurity policies.

• Identify – Understand cybersecurity risks to systems, people, assets, and data.

• Protect – Implement safeguards to limit or contain cybersecurity events.

• Detect – Identify the occurrence of cybersecurity events.

• Respond – Take action regarding detected events to contain impact.

• Recover – Restore capabilities or services impaired due to cybersecurity incidents.

CSF 2.0 encourages an iterative, risk-based approach that allows financial institutions to continuously assess and strengthen their cybersecurity posture as threats and technologies evolve.

NIST has also published Quick Start Guides, a CSF 2.0 Reference Tool, and sector-specific implementation examples to help organizations adopt the framework efficiently. Institutions can begin by mapping their CAT results to CSF 2.0 and identifying additional areas such as governance, supply chain, and continuous improvement that the CAT may not have addressed in detail.

‍

Steps financial institutions should take now

The transition from CAT to NIST CSF requires careful planning and execution. Here are key actions institutions should consider taking immediately: ‍

1. Perform a CAT-to-CSF mapping and gap analysis

• Map your most recent CAT assessment to NIST CSF 2.0 (or your selected framework) to determine what areas are already covered and where gaps exist—especially in areas not emphasized in the CAT such as governance, supply chain risk, and third-party dependencies.

2. Select a replacement framework that fits your institution

• Consider your institution’s size, complexity, and maturity level. NIST CSF 2.0 is broadly applicable, while CRI’s Cyber Profile may be better for those seeking a CAT-like experience with direct mappings. Smaller institutions may use CISA’s CPGs as a near-term baseline.

3. Engage key stakeholders

• Cybersecurity is not just an IT concern; it is an enterprise-wide issue. Institutions should involve senior management, boards of directors, risk officers, and IT leaders in developing a comprehensive cybersecurity risk management strategy aligned with the CSF.

4. Develop a transition plan

• Establish a structured roadmap to move from CAT to the NIST CSF. This should include:
  • A gap analysis to identify where existing controls fall short.
  • A risk assessment to prioritize areas of highest concern.
  • A resource allocation plan for staffing, technology, and training needs.

5. Enhance cybersecurity governance

• Governance is a central focus of NIST CSF 2.0. Institutions should formalize cybersecurity policies and ensure clear accountability for cyber risk management at all levels of the organization.

6. Invest in continuous improvement

• One of the primary advantages of the NIST CSF is its emphasis on continuous improvement. Institutions should adopt practices for ongoing monitoring, assessment, and enhancement of cybersecurity capabilities, including the use of automated tools and threat intelligence. This commitment to continuous improvement will keep institutions at the forefront of cybersecurity best practices.

7. Prepare for regulatory expectations

• Institutions should document their transition strategy, demonstrate board and executive awareness, and be prepared to discuss their chosen framework and improvements with examiners. Regulators have made clear that CAT alone will not be sufficient after August 2025, and that institutions must adopt a dynamic and risk-based cybersecurity program.  

‍

Conclusion

The retirement of the FFIEC Cybersecurity Assessment Tool marks a distinct shift in how financial institutions manage cybersecurity risk. While the transition to the NIST Cybersecurity Framework may seem daunting, it presents an opportunity for institutions to modernize their approach, enhance resilience, and foster a culture of continuous improvement.

Financial institutions can better protect themselves, their customers, and the broader economic ecosystem from the ever-growing array of cyber threats by proactively embracing the NIST CSF and aligning cybersecurity efforts with evolving regulatory expectations.

Institutions can refer to the NIST website and our recent update on the NIST Quick Start Guide for additional resources and guidance on the NIST CSF. For regulatory updates, visit the FFIEC cybersecurity awareness site.