The Retirement of the CAT as a Cybersecurity Framework
The FFIEC Cybersecurity Assessment Tool (CAT) has been a go-to resource for financial institutions for nearly a decade. Since the FFIEC officially announced the retirement of the CAT, many financial institutions are left asking the same question: What do we do next?
In their Sunset Statement, the FFIEC pointed toward a few solid options: The NIST Cybersecurity Framework (CSF), the CISA Cybersecurity Performance Goals (CPGs), the Cyber Risk Institute (CRI) Profile, and the Center for Internet Security (CIS) Controls.
During a recent webinar about the retirement of the CAT, we polled over 420 financial institutions to understand how they plan to respond. The results provide a helpful window into what's next for the industry and which frameworks may rise in popularity as the CAT retires.
When Will Financial Institutions Make the Switch?
To start, we asked the simple question: When do you plan to transition to another framework?
Nearly half of financial institutions are proactively preparing to switch frameworks in the coming months. That's a strong signal that institutions are taking this transition seriously and understand sticking with an unsupported framework after 2025 isn't a viable option.
Which Frameworks are Financial Institutions Considering?
Next, we asked which frameworks from the Sunset Statement institutions are most likely to adopt as a replacement.
According to the survey, nearly half of all respondents are choosing the NIST CSF as their top replacement choice, with a near even spread of preference across the remaining three frameworks.
Because the FFIEC is encouraging institutions to choose a framework that fits their size, risk profile, and overall security needs, we analyzed responses by both asset size and organization type.
Across all asset sizes, the NIST CSF consistently came out on top. Institutions in the $250–500 million and $1–5 billion ranges showed the highest preference for NIST CSF, with over half indicating it as their likely choice.
The CRI Profile and CISA's Cybersecurity Performance Goals (CPGs) saw moderate interest, particularly among smaller institutions. Larger institutions showed slightly more openness to the CIS Controls, especially in the over $5 billion category.
Banks and credit unions both showed a strong preference for NIST CSF. Interestingly, credit unions showed higher-than-average interest in the CIS Controls, while banks leaned more heavily toward the CRI Profile. For other financial institutions, NIST CSF was clearly the front-runner, with nearly two-thirds selecting it.
These findings align with other industry trends. The NIST CSF currently remains the most widely adopted framework in community financial institutions, thanks to its broad support, flexible design, and public availability. The FFIEC has also referred to the NIST CSF as a public domain framework, which can reduce both cost and complexity when compared to proprietary models.
It is important to note here that the NCUA has stated their plan to continue supporting the CAT, as it is the basis for their Automated Cybersecurity Evaluation Toolbox (ACET). We recognize that our data might have looked significantly different for credit unions if the ACET had been included in this survey. Still, though credit unions aren't required to switch, it is interesting to see their preferences among the four frameworks mentioned by the FFIEC.
Comparing the Frameworks
Now that you know which frameworks financial institutions are considering and when, here is a brief overview of each of these four frameworks:
NIST Cybersecurity Framework (CSF): A flexible, outcomes-based framework that pioneered five core functions used by many other frameworks: Identify, Protect, Detect, Respond, and Recover. This makes it easy to track maturity over time, though its open-ended nature may require more interpretation and internal decision-making.
CIS Controls: A highly prescriptive and widely adopted framework that offers detailed technical controls (safeguards) and implementation groups to allow for tiered adoption. However, they often require significant time, effort, and resources to fully implement.
CRI Profile: A comprehensive, financial-sector-specific framework focused on cyber resilience and risk alignment; however, its depth and detail can make it more time-intensive and difficult to self-assess.
CISA Cybersecurity Performance Goals (CPGs): A lightweight, public-domain framework focused on prioritized and measurable goals (outcomes), but it may lack the depth needed for more mature programs or complex security needs.
Keep in mind that these are not the only cybersecurity frameworks out there. Since the FFIEC is not requiring the use of any one framework, choosing a framework should be institution specific.
If you're looking for a more thorough resource for choosing your next framework, read our in-depth breakdown of each one. If you still can't decide, take our free "Which Cybersecurity Framework Should I Choose?" quiz.
Tools to Help Choose and Implement a New Framework
For financial institutions trying to decide what's next, Tandem's Cybersecurity Assessment Software is designed to help you evaluate, select, and implement your next cybersecurity framework.
If you're just getting started, Tandem offers a free version of the Cybersecurity Assessment Software. This version allows you to:
- Enable frameworks, including the four we mentioned here
- Create assessments
- Compare with peers
- Review dashboards and reports
- Send reminders with tasks
If you do not currently use Tandem Cybersecurity Assessment you can sign up for free or watch a demo.
