In late August, the FFIEC announced that they would sunset the Cybersecurity Assessment Tool (the “CAT”) on August 31, 2025. It had been apparent for some time that this would someday have to happen, but the announcement was filled with mixed emotions for me. While it is true that some of the controls in the CAT were a bit long in the tooth, there were a lot of things the CAT got right. As we all work to identify an alternative framework to measure cybersecurity maturity, I thought it would be a good idea to discuss what the strengths and weaknesses were of the CAT.
When the CAT was first introduced in 2015, regulators stated that completion was mandatory and would be used during exams. It seemed at the time to be an unsurmountable assessment to complete. While called a “tool”, it was simply a PDF document that described a methodology for assessing the inherent risk of your institution (the “Inherent Risk Profile”), and then provided hundreds of controls that you would need to assess based on that Inherent Risk Profile to arrive at your cybersecurity maturity level. Institutions had to each study the document, then develop their own solution (usually spreadsheets) to implement the CAT. Over time, some companies (including Bedel Security) would develop and distribute templates and tools to make tracking the CAT easier, but in the early days, the CAT really required development work on the part of the institution.
Once institutions did complete their initial assessments, performing periodic refreshments turned out to be easy, and the results could easily be used to demonstrate that the cybersecurity maturity level of the institution was getting higher. While regulators did not look at the CAT nearly as much as they had warned they would, most institutions continued using the tool because it did in fact have value.
The key benefit of the CAT was that it created consistent control sets across institutions based on the inherent risk level of an institution. At first, this meant that institutions needed to implement missing controls to achieve the “baseline” standard, but after that, it became a roadmap to identify what a growing institution could focus to ensure cybersecurity strength as they grew.
If there was an overall failing of the CAT, it was that it was never updated to reflect the quickly changing cybersecurity environment. An update in 2017 did not add any new controls but instead simply updated some mappings of controls back to the FFIEC booklets and adding the ability to state that compensating controls existed. The NCUA released the ACET in 2021 that mapped the CAT to NIST controls but updated only one control in the update. While overall cybersecurity expectations exploded over the past nine years, the CAT remained stuck in 2015. Regulators amended their expectations over the years to state that institutions should use a cybersecurity framework to assess their maturity, of which the CAT was just one of many suitable assessments. It became clear that the industry was going to need to move on eventually.
Those of us who have not already adopted a new framework will need to over the next year. The FFIEC has pointed institutions towards several potential frameworks, including NIST, CISA, Cyber Risk Institute (CRI), and the Center for Internet Security (CIS). While assessing these or others, we should be looking at not only whether the new framework includes controls, but also whether the framework allows us to adjust the required controls to the inherent risk level of our institutions and adjust as our institutions grow.