On June 26, 2023, the Office of the Comptroller of the Currency (OCC) published Bulletin 2023-22: Cybersecurity Supervision Work Program. Let's look at five things we think community banks should know about the Cybersecurity Supervision Work Program (CSW) exam procedures.

1. The CSW aligns with the NIST Cybersecurity Framework.

One of the biggest influencers on the CSW is the NIST Cybersecurity Framework (CSF) Version 1.1.

  • The functions are identical. Both use the same top-level headings to divide the sections: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). NIST refers to these as "functions," and the OCC CSW has done the same.

  • The categories are also identical. Both use the same categories to break down the content inside each of the functions. For example, inside the "Identify" function, you'll find categories named IT Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), Risk Management Strategy (ID.RM), and Supply Chain Risk Management (ID.SC).

  • The CSW statements parallel CSF statements. The NIST CSF was written as outcomes. The OCC CSW was written as instructions for verifying the outcomes. This means that the statements are (often) two sides of the same coin. For example, if the CSF says, "Implement ABC control," then the CSW says, "Evaluate the processes for ABC control's implementation." The statements are not one-for-one identical, but they are largely idea-for-idea.

  • The NIST CSF References are built into the program. At the end of each section, the OCC CSW shows the NIST CSF references for the section. This makes for easy comparison and provides a helpful tool for examiners to learn more about the things they are examining.

In short, the NIST CSF v.1.1 and OCC CSW go together like peas and carrots. Learn more about the NIST CSF here: https://www.nist.gov/cyberframework.

2. The CSW aligns with the FFIEC IT Examination Handbook.

There are a lot of direct and indirect references to the FFIEC IT Examination Handbook in the CSW. Specific booklets that get shout-outs include:

  • Information Security (17 references)
  • Architecture, Infrastructure, and Operations (9 references)
  • Business Continuity Management (8 references)
  • Management (7 references)
  • Audit (1 reference)
  • Development and Acquisition (1 reference)

Each section begins with a phrase that coaches examiners on where to find more information in the FFIEC booklets about the topic at hand. For example, in the "IT Asset Management" category, examiners are told to refer to the Information Security and Architecture, Infrastructure, and Operations booklets for more info.

The OCC added a "Specialty Areas" section to the end of the CSW with a category called "Secure Software Development" (SA.SD). Since NIST CSF Version 1.1 did not have a category for this topic, the CSW appears to have primarily relied on FFIEC guidance for these statements.

3. The CSW is not based on the FFIEC Cybersecurity Assessment Tool.

Since 2015, the OCC's cybersecurity examination program was based on the FFIEC Cybersecurity Assessment Tool (CAT). According to the OCC's 2022 Cybersecurity and Financial System Resilience Report to Congress (see PDF page 13), use of the CAT enabled the OCC to:

  • "Implement a consistent cybersecurity supervision framework."
  • "Monitor and measure cybersecurity preparedness across the federal banking system."
  • "Observe the range of practices across banks."
  • "Identify common areas of strength and potential control gaps."
  • "Better measure the level of preparedness across banks over time."

While the OCC CSW is no longer based on the FFIEC CAT, alignment with the NIST CSF enables the OCC to continue to meet these objectives.

4. The CSW is mapped to several industry frameworks.

One of my favorite parts about the CSW is that it comes with a Cybersecurity Supervision Work Program References tool. This tool is designed to give banks a way to map the CSW statements to existing guidance and frameworks, such as the CIS Controls and the NIST SP 800-53 controls.

Here's an example of what it looks like when you use the tool.

This is a win-win. It's helpful for OCC examiners who may want to learn more about a certain topic, and it's helpful for banks when preparing for an upcoming examination.

5. The CSW could be used as a cybersecurity framework.

Since the FFIEC CAT sunset, many financial institutions are looking for an alternate framework. Some are even asking, "Can I use the CSW as a cybersecurity framework?"

The short answer is: Maybe. But with caveats.

  • Pros: The CSW offers a structured, process-oriented way to review your cybersecurity program, identify gaps, and prepare for upcoming examinations. Its consistent approach and useful mappings can help you establish a repeatable self-assessment routine for continuous improvement.

  • Cons: Like many modern cybersecurity frameworks, the CSW is not a checklist of controls. Most of the procedures begin with verbs like "evaluate," "assess," "review," or "determine." This indicates the CSW is intended for use by someone reviewing a cybersecurity program, not someone implementing one. If you are looking for more prescriptive guidance, another framework may be a better fit.

As the OCC notes, "The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness." That said, if you approach it as a framework to help you evaluate your cybersecurity preparedness, it can be a useful tool for self-assessment and exam prep.

Further Reading: Learn more about using cybersecurity frameworks on our blog: What is a Cybersecurity Control Self-Assessment?

In Summary

The OCC CSW program gives community banks greater flexibility, aligns with current FFIEC guidance, and promotes a consistent cybersecurity supervision framework through its use of the NIST CSF. If you haven't seen the CSW yet:

Use the OCC CSW in Tandem

Tandem Cybersecurity Assessment makes it easy to complete cybersecurity control self-assessments using common frameworks, including the NIST CSF and the OCC CSW. Our web application streamlines the process with intuitive assessment tools, robust reporting, downloadable documents, peer benchmarking, notifications, and more.

Sign up and get started for free at Tandem.App/Cybersecurity.

 

Update Log:

  • 10/08/2025: Removed obsolete FFIEC references; added considerations for using the CSW as a framework.