The FFIEC Cybersecurity Assessment Tool (CAT) has a rich history. The purpose of this article is to provide a comprehensive timeline of the FFIEC CAT and how its implementation has changed over the years. Bookmark this blog and be sure to come back to see updates as the topic continues to evolve.
February 2013: Presidential Executive Order 13636
On February 12, 2013, the White House released Executive Order 13636 on Improving Critical Infrastructure Cybersecurity. This document initiated the development of the NIST Cybersecurity Framework (CSF).
June 2013: FFIEC Creation of the CCIWG
On June 6, 2013, the FFIEC published a press release announcing the Cybersecurity and Critical Infrastructure Working Group (CCIWG). The press release indicated the CCIWG would do three things:
- Enhance communication among the FFIEC member agencies.
- Strengthen the activities of other interagency government groups, like the Task Force on Supervision (TFOS) and the Financial and Banking Information Infrastructure Committee (FBIIC).
- Strengthen the activities of private sector groups, like the Financial Services Sector Coordinating Council (FSSCC) and Financial Services Information Sharing and Analysis Center (FS-ISAC).
One of the first tasks they took on was the creation of a cybersecurity assessment specifically for financial institutions.
June 2014: FFIEC Cybersecurity Assessment Pilot
On June 24, 2014, the FFIEC published a press release announcing a "pilot program" for a cybersecurity assessment that would (and then did) take place at more than 500 community financial institutions. The pilot program was to be "completed during regularly scheduled examinations."
November 2014: FFIEC General Observations
On November 3, 2014, the FFIEC published a press release announcing "General Observations" from the pilot. The document highlighted themes and provided recommendations for financial institutions to consider when assessing their own cybersecurity preparedness.
March 2015: FFIEC Assessment Tool Announcement
On March 17, 2015, the FFIEC published a press release announcing their plan to "[develop and issue] a self-assessment tool that financial institutions can use to evaluate their readiness to identify, mitigate, and respond to cyber threats."
According to the FFIEC 2015 Annual Report, the TFOS IT Subcommittee had "dedicated its resources to collaborating with the CCIWG on developing the Assessment and supporting materials."
June 2015: FFIEC CAT Release
On June 30, 2015, the FFIEC published a press release announcing the publication of the FFIEC Cybersecurity Assessment Tool (CAT). The published version was released as a 59-page PDF file.
2015 – Present: OMB Requests for Comment
Upon the launch of the FFIEC CAT, the agencies encouraged financial institutions to comment on the assessment through an upcoming Paperwork Reduction Act notice in the Federal Register.
To date, the Office of the Comptroller of the Currency (OCC) has published six comment requests via Paperwork Reduction Act notices on behalf of the FFIEC member agencies:
Over the years, dozens of financial institutions, advocacy groups, private businesses, and individuals have provided feedback on the FFIEC CAT.
Comments are a matter of public record and can be seen on the Office of Management and Budget website (OMB Control Number 1557-0328) by following these steps:
- Click a link in the ICR Ref. No. column.
- Click the View Supporting Statement and Other Documents link.
- Look for the Public Comments table.
- Click a link in the Comment Document column to download the comment attachment.
July 2015: Federal Reserve Exam Program
On July 2, 2015, the Federal Reserve published Supervision and Regulation (SR) Letter 15-9: FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors. In the letter, the Federal Reserve stated:
"Beginning in late 2015 or early 2016, the Federal Reserve plans to utilize the assessment tool as part of our examination process when evaluating financial institutions' cybersecurity preparedness in information technology and safety and soundness examinations and inspections."
June 2016: FDIC InTREx Program
On June 30, 2016, the FDIC published a press release announcing the release of the Information Technology Risk Examination (InTREx) Program. While the InTREx program states financial institutions are not required to use the FFIEC CAT to assess cybersecurity preparedness, the program also states that FDIC examiners would reference the CAT's Appendix A when performing examinations.
Since its publication, in addition to the FDIC, the Federal Reserve and several state banking agencies have used the InTREx Program for examinations.
October 2016: FFIEC CAT Frequently Asked Questions (FAQ)
On October 17, 2016, the FFIEC published a press release announcing the publication of a Frequently Asked Questions (FAQ) guide.
May 2017: FFIEC Update to the CAT
On May 31, 2017, the FFIEC published a press release announcing an update to the CAT. The update included a revised mapping of baseline statements to the recently revised Information Security and Management booklets, as well as the addition of a new "Yes, with compensating controls" answer option.
Spring 2018: NCUA ACET
In early 2018, the NCUA published a press release announcing their plan to pilot the Automated Cybersecurity Examination Tool (ACET) in upcoming exams. The ACET was based on the FFIEC CAT. Learn more in the Tandem Blog: NCUA Automated Cybersecurity Examination Tool (ACET) Frequently Asked Questions.
May 2018: OCC IT Examination Program
On May 24, 2018, the OCC published a press release announcing their Semiannual Risk Perspective for Spring 2018. In the document, they announced the OCC had "implemented the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) into its examination process."
August 2019: FFIEC Encourages Standardized Approach
On August 28, 2019, the FFIEC published a press release encouraging financial institutions to use "a standardized approach to assess and improve cybersecurity preparedness." The FFIEC listed several possible assessment frameworks which could be used to accomplish this, including the FFIEC CAT, the FSSCC Cybersecurity Profile, the NIST Cybersecurity Framework, and the Center for Internet Security (CIS) Controls.
December 2021: NCUA ACET Software
In December 2021, the NCUA published a Letter to Credit Unions, 21-CU-15: Automated Cybersecurity Evaluation Toolbox. In the announcement, the NCUA introduced their new ACET downloadable desktop application, designed to help credit unions complete the FFIEC CAT / ACET.
July 2022: OCC Cybersecurity Report
On July 7, 2022, the OCC published a Cybersecurity and Financial System Resilience Report. The report stated:
"The OCC's cybersecurity supervision program leverages the FFIEC CAT for examinations. Use of this tool allows the OCC to implement a consistent cybersecurity supervision framework. The OCC continues to review and update existing supervisory approaches and will update the supervision program to keep pace with current cyber threats and industry practices. Use of defined cybersecurity frameworks enables the OCC to monitor and measure cybersecurity preparedness across the federal banking system. By using this approach over several supervisory cycles, examiners will continue to be able to observe the range of practices across banks, identify common areas of strength and potential control gaps, and better measure the level of preparedness across banks over time."
October 2022: Updated Cybersecurity Resource Guide
On October 3, 2022, the FFIEC published a press release announcing an update to the Cybersecurity Resource Guide for Financial Institutions. The updated guide lists additional tools, frameworks, and resources, with a focus on preparing for and responding to ransomware and other cyber incidents. While not listed in the original 2018 version, this updated version includes the FFIEC CAT.
January 2023: NCUA Information Security Examination
In January 2023, the NCUA published a Letter to Credit Unions, 23-CU-01: NCUA's 2023 Supervisory Priorities. The letter stated the NCUA had transitioned to a new examination program called the Information Security Examination (ISE). The letter stated:
"Credit unions are encouraged to remain very vigilant and continue to adapt their ability to respond to evolving cybersecurity threats. Your credit union may conduct voluntary, cybersecurity self-assessments using the Automated Cybersecurity Evaluation Toolbox. The toolbox works in coordination with and will prepare you for an Information Security Examination."
Learn more in the Tandem Blog: Credit Unions: What to Expect in Your 2023 NCUA IT Exam.
June 2023: OCC Cybersecurity Supervision Work Program
In June 2023, the OCC published Bulletin 2023-22: Cybersecurity Supervision Work Program (CSW). This new examination program shifted focus away from the FFIEC CAT, focusing more on the NIST CSF and mapping to a variety of industry frameworks.
September 2022: Renewed Information Collection
On September 30, 2022, the FFIEC renewed its information collection on the FFIEC CAT with the Office of Management and Budget (OMB) through September 30, 2025.
August 2024: FFIEC Announces CAT Sunset
On August 29, 2024, the FFIEC published a statement announcing the sunset of their Cybersecurity Assessment Tool (CAT). The tool will be sunset on August 31, 2025. The FFIEC stated that while the CAT's security controls are "sound," there are other cybersecurity control frameworks available, such as the NIST Cybersecurity Framework (CSF) or the CISA Cybersecurity Performance Goals (CPGs).