The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, is issuing this statement to communicate the agencies will sunset the Cybersecurity Assessment Tool (CAT) on August 31, 2025.
The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.
The FFIEC will remove the CAT from the FFIEC website on August 31, 2025. After much consideration, the FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Supervised financial institutions can instead refer directly to these new government resources. CISA released CrossSector Cybersecurity Performance Goals in 2023 and is preparing to release Cybersecurity Performance Goals for the Financial Sector later this year. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.
Supervised financial institutions may also consider use of industry developed resources, such as the Cyber Risk Institute’s (CRI) Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, leading practices) to better address and inform management of continuously evolving cyber security risk. Supervised financial institutions should ensure that any self-assessment tool(s) they utilize support an effective control environment and are commensurate with their risk.
While the FFIEC does not endorse any particular tool, these standardized tools can assist financial institutions in their self-assessment activities. The tools are not examination programs and the FFIEC members take a risk-focused approach to examinations. As cyber risk evolves, examiners may address areas not covered by all tools.
Cybersecurity Assessment Tool Sunset Date 08/31/2025
Additional Resources
- Cybersecurity Awareness
- NIST Cybersecurity Framework 2.0
- CISA Cybersecurity Performance Goals | CISA
- Cybersecurity Performance Goals: Sector-Specific Goals | CISA
- Cyber Risk Institute Cyber Profile
- Center for Internet Security Controls
- FS-ISAC Global Events/Cyber-Attack Against Payment Systems (CAPS) Exercise
- Center for Internet Security Controls
- Financial Services Information Sharing and Analysis Center
- FBI Infragard
- Financial Services Sector Coordinating Council
- U.S. Secret Service Electronic Crimes Task Force (ECTF)