Beyond the CAT: Building on a Foundation That Lasts

Introduction

As most bankers know by now, the FFIEC Cybersecurity Assessment Tool (CAT), first released in 2015, will officially sunset on August 31, 2025. That leaves many banks with a critical question: *What comes next?*

The task ahead isn’t just about picking a new assessment tool—it’s about laying the foundation for your entire cybersecurity program moving forward. And with that decision comes the equally important job of implementing it across your institution. It's a heavy lift, which makes it all the more important to get started now.

At Bedel Security, we spent time carefully evaluating our options. We looked at a number of available frameworks and scored them across key factors like comprehensiveness, long-term viability, relevance to the banking industry, ease of implementation, and how actionable they are. That process helped us narrow the field pretty quickly.

In the end, one framework stood above the rest: NIST-CSF.

In this post, we’ll walk through the reasons why we chose the NIST Cybersecurity Framework, and hopefully help you move one step closer to making your own decision.

1. The Rosetta Stone of Frameworks
   When the FFIEC hosted its webinar announcing the sunset of the CAT, one detail caught our attention: their repeated reference to the NIST Cybersecurity Framework (NIST-CSF) as the “Rosetta Stone” of cybersecurity frameworks.
   
   That wasn’t just a passing comment. It was a strong signal.
   
   What they meant is this: NIST-CSF serves as a universal translator. Most major frameworks—whether they're industry-specific, proprietary, or regulatory—map back to NIST-CSF in some way. In fact, the FFIEC themselves aligned many components of the CAT to NIST-CSF when the tool was first released.
   
   So by choosing NIST-CSF, you’re not painting yourself into a corner. You’re aligning your program to a flexible, adaptable framework that can evolve with the industry. Whether regulators, vendors, or examiners come in with different models in the future, you’ll already be speaking the language they understand.
   
   In our view, that makes NIST-CSF a smart, strategic starting point—especially in a landscape that’s only getting more complex.
2. It's Comprehensive
   
   One of the biggest reasons we leaned toward NIST-CSF is its depth. It doesn’t just focus on technical controls or regulatory compliance. It takes a holistic view of cybersecurity—one that covers governance, risk management, controls, detection, response, and recovery.
   
   Unlike more narrowly scoped tools, NIST-CSF prompts institutions to think broadly. It encourages alignment between business context, leadership roles, asset management, third-party relationships, and incident response—all critical areas that community banks can’t afford to overlook.
   
   That said, we recognize that its broad scope can be a challenge, especially for smaller institutions. The framework itself doesn’t adjust based on asset size or complexity, which means banks will need to do some work to scale it appropriately. That’s something we’re actively addressing in how we adopt NIST-CSF internally and with our customers.
   
   But if you’re looking for a framework that truly covers the full cybersecurity lifecycle and supports long-term program maturity, NIST-CSF gives you that foundation.
3. It’s Transferable
   
   While our primary focus is banking, we also recognize that cybersecurity doesn’t stop at the edges of our industry. Threats, vendors, partners, and regulatory expectations often cross sector boundaries, which is why we saw value in adopting a framework that does the same.
   
   NIST-CSF is used across industries—from healthcare to energy to critical infrastructure. That broad adoption gives it staying power and makes it easier to collaborate with partners, auditors, and vendors who may already be working within the same structure.
   
   At the same time, we know banking is a unique industry with specific expectations and risks. That’s why, as we roll out NIST-CSF internally and with our customers, we’re making sure each control and outcome is framed with banking-specific context. We’re not simply adopting a generic framework—we’re adapting it with intent.
   
   The foundational structure of NIST-CSF gives us consistency when working across industries, but we’re committed to tailoring it so that it speaks directly to the needs of community banks.
4. It’s the Foundation for Others
   
   As we evaluated the options, something became clear: many of the other frameworks we considered—including those designed specifically for the financial sector—were built directly on top of the NIST Cybersecurity Framework. They added scoring models, dashboards, and bank-specific overlays, but the core structure remained NIST-CSF.
   
   That includes the FFIEC CAT itself. When it was first released in 2015, the CAT was largely modeled after the original NIST-CSF. In many ways, banks have already been using a version of this framework—it’s just been abstracted through the lens of the FFIEC.
   
   So rather than adopt a repackaged version, we chose to go straight to the source. This gives us a deeper understanding of how our program is built, more flexibility in how we implement it, and full control over how we adapt it for our customers.
   
   We’re not opposed to the layered tools—they can offer value in certain contexts. But if the CAT was built on NIST-CSF, and newer tools are too, it only made sense to build directly on the foundation that everything else is standing on.
5. Licensing and Access
   
   While most frameworks outside the public domain allow free, non-commercial use by banks, they often come with restrictions around how they can be shared, modified, or reported on. For individual institutions, that may not pose an issue. But for firms like ours, who implement and manage frameworks on behalf of multiple clients, those limitations quickly become a barrier.
   
   We found that several frameworks imposed constraints that would have made it difficult to deliver the kind of value our customers have come to expect from us. Whether it was limits on tailoring the content, formatting reports, or embedding the framework into our broader service model, those restrictions didn’t align with the way we serve our clients.
   
   That’s part of why NIST-CSF made so much sense.
   
   Because it’s in the public domain, we have the freedom to evolve and adapt it, whether in response to emerging threats, shifting regulatory requirements, or advancements in best practices. That flexibility is critical to helping banks stay ahead without being held back.
   
   We want to deliver value without constraints. NIST-CSF gives us the room to do exactly that.

Conclusion

Choosing a new cybersecurity framework to replace the FFIEC CAT isn’t a decision to take lightly. It’s not just a checkbox—it’s the foundation for how your institution will manage risk, demonstrate oversight, and respond to the evolving threat landscape in the years ahead.

At Bedel Security, we took the time to evaluate multiple options through the lens of what matters most: relevance to the banking industry, long-term viability, implementation flexibility, and the ability to deliver clear value to our customers. For us, NIST-CSF rose to the top.

It’s comprehensive. It’s adaptable. And it gives us the freedom to enhance and apply it in a way that truly fits community banking.

We’ll continue to share more in the coming months, both on how we’re implementing NIST-CSF and how banks can make the transition with clarity and confidence.