Consider These FFIEC CAT Alternatives as August Sunset Nears – Replacement Frameworks Financial Institutions Can Rely On

The Cybersecurity Assessment Tool (CAT) sunsets August 31, 2025. Rather than update the CAT to reflect new government resources, the Federal Financial Institutions Examination Council (FFIEC) will instead refer banks and other financial institutions directly to those new resources. These well-established frameworks enable organizations to assess and manage their cybersecurity risk, but implementation time and cost may guide you to one framework over another. 

This overview of the four leading cybersecurity frameworks can help your institution determine which approach best fits your risk profile, resources and compliance requirements. 

Potential FFIEC CAT Replacements

NIST Cybersecurity Framework (CSF) 

Introduced in 2014 as an executive order during the Obama administration, the NIST Cybersecurity Framework is a set of voluntary guidelines designed to help organizations assess and improve their ability to prevent, detect and respond to cybersecurity risks. The latest version, CSF 2.0, was issued in 2024 and includes guidance for various sectors, including the financial industry and government, to enhance their cybersecurity posture. It can be used across industries and even across organizations as a comprehensive model to evaluate all risks, not just information security from the original CST.  

The updated CSF 2.0 also adds the Govern function, which provides alignment with other functions by putting them into perspective in order to prioritize them appropriately. The framework’s core functions, which are shared across the frameworks covered in this blog, are: 

  • Govern 
  • Identify 
  • Protect 
  • Respond 
  • Recover 

The framework is organized into functions, categories and subcategories, offering intuitive, actionable guidance while enabling flexibility for each institution to tailor controls to its unique needs. 

Key Benefits: 

  • Flexibility to tailor the framework to your organization’s needs, it could be considered a living document that evolves over time 
  • Freely available 
  • Cybersecurity risk response recommendations 
  • Non-prescriptive nature provides more areas for improvement 

Additional Features: 

  • Organizational Profiles track adopted controls and their maturity levels. 
  • CSF Tiers measure the sophistication of controls in place. 
  • Implementation Guidance provides clear examples and interpretation without dictating exact requirements. 

CISA Cybersecurity Performance Goals (CPGs) 

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the U.S. Department of Homeland Security responsible for protecting critical infrastructure from physical or cyber threats. Cybersecurity Performance Goals (CPGs) are voluntary practices that outline the highest priority baseline measures businesses and critical infrastructure owners of all sizes can utilize to protect themselves against cyber threats. Financial sector specific goals are due to be released in the winter of 2025. 

Developed using CISA operational research on the current threat landscape, CPGs organize recommended security practices by the NIST CSF functions, such as govern, identify and so on. CPGs were developed with a focus on critical framework and while they may be relevant to financial institutions, it’s worth considering each of the available methodologies to ensure you’re proceeding with the framework that most closely addresses your institution’s risk profile and goals.  

NIST CSF references, scope, external and support references, cost, impact and complexity are all included in the guiding documents, giving you all the information you’ll need as you consider implementing these security practices.  

Key Benefits: 

  • Ease of implementation due to guiding document breakdown of cost, scope and more 
  • Built for critical infrastructure owners 
  • Based on NIST CSF functions 
  • Specific guidance for financial institutions scheduled to be released winter 2025 

Cyber Risk Institute (CRI) Cyber Profile 

The Cyber Risk Institute (CRI) is a not-for-profit coalition of financial institutions and trade associations. The Cyber Risk Profile is a freely downloadable framework based on NIST and ISO frameworks developed with both regulators and cyber standards in mind. Some features may only be available with a membership, but there’s still a lot of free content for you to take advantage of. It’s designed to be useable and beneficial for those who are supervised by multiple agencies, including international agencies, and by those that have less internal infrastructure, such as smaller financial institutions that still want a credible, standardized self-assessment framework.  

The profile is driven by organizational responses to the Impact Tiering questionnaire. It scales to a firm’s impact on the global economy based on a series of nine questions, and these tailored questions focus on systemic impact rather than asset size. Once you know your tier, you can evaluate the profile based on that and find the references assigned to your tier within the assessment tool. The tiers are: 

  • Tier 1 – International or super national impact. Covers the largest organizations that are the most complex and globally intermingled 
  • Tier 2 – Subnational impact. Covers the national level, organizations that are slightly less complex and not global 
  • Tier 3 – Sector impact. Covers a specific sector or area less than the national level 
  • Tier 4 – Localized impact. Covers organizations that answered no to all questions in Tiers 1 through 3  

Once an organization knows its Tier, it can use the CRI assessment tool to document assessment rational and provide supporting evidence. Over 2,500 cybersecurity related regulatory requirements are incorporated into the profile, which harmonizes them into 318 “diagnostic statements.” A diagnostic statement is the control type language you will adhere to if it applies to your tier. The assessment tool also includes response guidance and examples so you can see what your prescribed actions might look like and the examples of evidence you could potentially provide. 

Center for Internet Security (CIS) Controls 

Formed to help a variety of industries achieve frameworks such as NIST or HIPPA, the Center for Internet Security (CIS) Controls developed tools and processes that allow for easier implementation of those frameworks. With a SecureSuite membership, organizations can take advantage of the following: 

  • Automated Scans – You can automate the scan/assessment of your IT systems and software configuration settings against CIS benchmarks. These scans are typically completed just a few minutes, saving users hours that would have been used manually reviewing the configurations.  
  • Tailored CIS Benchmarks – You can use the CIS Workbench to tailor benchmarks to your organization’s unique needs, allowing for a more accurate assessment of your environment.  
  • Automated Remediation – Save company time and resources by using CIS Build Kits to rapidly implement CIS Benchmark recommendations through GPSs or Linux scripts. 
  • Active Monitoring/Tracking – The CIS-CAT Pro dashboard grants you access to reporting for trend analysis and enables monitoring for configuration drift.  
  • Implementation Assessment – Conduct, track and assess your implementation to CIS controls. You also have the ability to opt in to score sharing and compare your company to other industry averages.  

When you examine your options as you prepare to move away from CAT as an organization, it’s important to consider the scope of the change as defined by your organization’s needs, the cost of the process, and the availability of subject matter experts that you may utilize for change management. In scaling the cost of the effort, ease of implementation favors CPG, then CSF, followed by CIS and finally CRI as requiring the most effort.  

You should also consider how examiners will see the processes you’ve put in place following the CAT sunset as part of your replacement decision. Ask yourself questions like, “Have we taken the steps necessary to secure our environment?” and “Are we in a situation where we can effectively communicate our current state?”  

Anders Banking and Financial Institutions advisors work closely with clients to scale cybersecurity efforts based your organization’s needs, easily adapting to any specific project requirements. Learn more about how our advisors can help your institution implement new cybersecurity frameworks, and the associated costs, by requesting a meeting below.  

Request a Meeting

Abe Babler, MBA, Audit and Assurance Principal, also contributed to this blog post.

View all Blog Posts

Our firm provides this information for general educational guidance only and does not constitute the provision of legal advice, tax advice, accounting services, investment advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal, or other competent advisers. Before making any decision or taking any action, you should consult a professional adviser who has been provided with all pertinent facts relevant to your particular situation. Podcasts posted by Anders CPAs + Advisors are not intended to be used and cannot be used by any individual or business, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided "as is," with no assurance or guarantee of completeness, accuracy, or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability, and fitness for a particular purpose. Please note that some content may be generated using artificial intelligence and is intended for educational and informational purposes only. In no way does listening, reading, emailing or interacting on social media with our content establish a professional relationship.