On June 26, 2023, the Office of the Comptroller of the Currency (OCC) published Bulletin 2023-22: Cybersecurity Supervision Work Program (which they are abbreviating as CSW).
Changes in cybersecurity exam programs are rare. Because of this, when a new work program is released, it is important to look at the changes and ask: What can I learn from this and how can I be ready for upcoming exams?
One thing we learned is that the OCC shifted the program to be better aligned with the NIST Cybersecurity Framework and FFIEC IT Examination Handbook. While it is not based on the FFIEC CAT anymore, the program is mapped to several industry frameworks. The program is not a framework itself, but there are still things community banks can do to be ready for it.
Let's understand this all more clearly by looking at five things we think community banks should know about the new exam procedures.
1. The CSW aligns with the NIST Cybersecurity Framework.
One of the biggest influencers on the CSW is the NIST Cybersecurity Framework (CSF) version 1.1. Here's what I mean by that.
- The functions are identical. Both use the same top-level headings to divide the sections: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC). NIST refers to these as "functions," and the OCC CSW has done the same.
- The categories are also identical. Both use the same categories to break down the content inside each of the functions. For example, inside the "Identify" function, you'll find categories named IT Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), Risk Management Strategy (ID.RM), and Supply Chain Risk Management (ID.SC).
- The CSW statements parallel CSF statements. The NIST CSF was written for practitioners. The OCC CSW was written for examiners. This means that the statements are (often) two sides of the same coin. For example, if the CSF says, "Implement ABC control," then the CSW says, "Evaluate the processes for ABC control's implementation." The statements are not one-for-one identical, but they are largely idea-for-idea.
- The NIST CSF References are built into the program. At the end of each section, the OCC CSW shows the NIST CSF references for the section. This makes for easy comparison and provides a helpful tool for examiners to learn more about the things they are examining.
In short, the NIST CSF v.1.1 and OCC CSW go together like peas and carrots. Learn more about the NIST CSF here: https://www.nist.gov/cyberframework.
Further Reading: NIST is currently in the process of updating the CSF to version 2.0, so it will be interesting to see if/how the OCC CSW will keep pace when the updated CSF is released.
2. The CSW aligns with the FFIEC IT Examination Handbook.
There are a lot of direct and indirect references to the FFIEC IT Examination Handbook in the CSW. Specific booklets that get shout-outs include:
- Information Security (17 references)
- Architecture, Infrastructure, and Operations (9 references)
- Business Continuity Management (8 references)
- Management (7 references)
- Audit (1 reference)
- Development and Acquisition (1 reference)
Each section begins with a phrase that coaches examiners on where to find more information in the FFIEC booklets about the topic at hand. For example, in the "IT Asset Management" category, examiners are told to refer to the Information Security and Architecture, Infrastructure, and Operations booklets for more info.
The OCC also added a "Specialty Areas" section to the end of the CSW with a new category called "Secure Software Development" (SA.SD). Since the NIST CSF does not currently have a category for this topic, the CSW appears to have primarily relied on FFIEC guidance for these statements.
Further Reading: Four of the FFIEC IT booklets were excluded from the CSW: Outsourcing Technology Services (OTS), Retail Payment Systems (RPS), Supervision of Technology Service Providers (TSP), and Wholesale Payment Systems (WPS). Based on trends we've seen, this exclusion seems to be intentional. Here's why:
- The FFIEC agencies (including the OCC) have been shifting towards principles-based concepts in their guidance. The RPS and WPS booklets are system-based, not principles-based. Learn more about this concept in our blog: FFIEC Rescinds the E-Banking Booklet.
- The OTS and TSP booklets are outdated, having been released in 2004 and 2012, respectively. While the FFIEC has said they're working on an update to the TSP booklet (see PDF page 36), three of the federal banking agencies recently partnered to release new and up-to-date third-party risk management and fintech due diligence guidance. The OCC CSW opts to reference both new guidance documents in the supply chain category (page 5) instead of the FFIEC booklets.
3. The CSW is not based on the FFIEC Cybersecurity Assessment Tool.
Since 2015, the OCC's cybersecurity examination program was based on the FFIEC Cybersecurity Assessment Tool (CAT). According to the OCC's 2022 Cybersecurity and Financial System Resilience Report to Congress (see PDF page 13), use of the CAT enabled the OCC to:
- "Implement a consistent cybersecurity supervision framework."
- "Monitor and measure cybersecurity preparedness across the federal banking system."
- "Observe the range of practices across banks."
- "Identify common areas of strength and potential control gaps."
- "Better measure the level of preparedness across banks over time."
Alignment with the NIST CSF enables the OCC to continue to meet several of these objectives. That said, unlike the FFIEC CAT, the NIST CSF was not designed to be an industry benchmark.
A lot of the CSW is up to the examiner to evaluate, assess, and interpret. This could ultimately be seen as a benefit for the banks being supervised, but it does involve the OCC foregoing some of their ability to objectively "measure" the industry's cybersecurity preparedness.
Further Reading: The OCC seems to be following in the footsteps of the NCUA with their shift away from the FFIEC CAT as the central pillar of the examination process. While financial institutions continue to be encouraged to assess their cybersecurity preparedness using a tool like the CAT, it does beg the question: What's Next for the FFIEC CAT? Click the link to read our article on the topic.
4. The CSW is mapped to several industry frameworks.
One of my favorite parts about the CSW is that it comes with a nifty new Cybersecurity Supervision Work Program References tool. This tool is designed to give banks a way to map the CSW statements to existing guidance and frameworks, such as the FFIEC CAT and the NIST SP 800-53 controls.
Here's an example of what it looks like when you use the tool.
This is a win-win. It's helpful for OCC examiners who may want to learn more about a certain topic, and it's helpful for banks when preparing for an upcoming examination.
Learn more and use the tool now: https://www.occ.gov/topics/supervision-and-examination/bank-operations/bit/cybersecurity-supervision-work-program-references.html
5. The CSW is not a framework in-and-of itself.
While certain examination programs are written like a framework, the CSW is a little different.
According to the OCC, "The CSW does not establish new regulatory expectations, and banks are not required to use this work program to assess cybersecurity preparedness."
We can validate this since every bulleted statement on the CSW begins with a word like "evaluate," "assess," "review," or "determine." The statements also place a heavy emphasis on the word "processes." For example, "evaluate the processes" and "assess the processes."
In other words, while the CSW can be used to help you get an idea for what your examiners may expect, it is not a list of controls to implement. It is a document filled with guidelines to help a reviewer determine how and to what extent your bank has implemented applicable controls.
The ultimate reminder I want to leave you with is this: The CSW was written for examiners, not practitioners.
The OCC has taken big steps forward with the new CSW program. This new work program:
- Provides a lot more flexibility for community banks.
- Better aligns with (and includes) current FFIEC recommendations.
- Supports the OCC's objectives of implementing a consistent cybersecurity supervision framework, since it is largely based on the NIST CSF.
If you haven't seen the new program yet, download it now: https://www.occ.gov/news-issuances/bulletins/2023/bulletin-2023-22a.pdf.
Additional Resources to Help You Prepare
If you are looking for a place to get started in preparing for your next OCC examination, I'd love for you to check out Tandem. Tandem is a cybersecurity governance, risk management, and compliance (GRC) application, designed to help community banks improve their information security, stay in compliance, and lower overhead costs.
If you'd like to learn more about how Tandem can help you, download our NIST Cybersecurity Framework and Tandem Mapping. This mapping identifies areas in Tandem where NIST CSF topics are addressed.
Learn more about how Tandem can help you at https://tandem.app.