Contact Us

The CAT is Retiring – What Now?

August 25, 2025
Rich Whyrick, MCP, ITIL/F, CBISO

The CAT is Retiring – What Now?

Back in August of 2024, we posted a tip about the FFIEC ending support for the Cybersecurity Assessment Tool (CAT) in 2025 (see “FFIEC Sunsetting Cybersecurity Assessment Tool (CAT) in 2025”).  While many of you may have celebrated this decision, it has left something of a void in the security process of many institutions.  Yes, it was a chore to go through, line by line, answering almost five hundred questions to gauge your security posture.  However, if you took the time to answer each question carefully and honestly, you likely came away with a better understanding of where there were gaps and where you were doing well, as intended.

 

So, what now?  The CAT sunset of August 31, 2025, is upon us.

 

As you might imagine this conundrum has elicited a lot of head scratching and soul searching. OK, maybe that is a bit of a stretch; we haven’t seen much soul searching related to this matter. However, the head scratching is fully warranted, as there has been very little guidance since the original announcement.  In that statement, they did call out CISA’s “Cybersecurity Performance Goals for the Financial Sector,” which were supposed to be released in 2024; however, as noted here (https://www.cisa.gov/cross-sector-cybersecurity-performance-goals) the Financial Services Sector-Specific Goals (SSGs) now has a target availability of “Winter 2025.”

 

Uh-oh.  There’s that soul searching.  Your shoulders just drooped, your head fell forward a little, then you raised your eyes skyward, asking anyone that may be listening, “What the heck am I supposed to do now?”  And you are asking this because as far back as Q4 2024 your regulatory examiners told you that it was time to start looking for a CAT replacement. 

 

If you have ever worked your way to the back pages of one of our reports, you already know we perform roughly 250 audits on an annual basis.  It is a safe wager that since September 2024 we have been asked this question in about 90% of them, “What are other institutions doing to replace the CAT?”  And our response has likely been, “They’re asking what other institutions are doing.”  And yes, now it is time for some more soul searching.

 

Not surprisingly, we were starting to wonder ourselves where institutions were landing on this question, so we did an internal poll back at the beginning of April to try to get an understanding.  Keep in mind that this is by no means scientific, and the sample size is small.  We asked clients, and the following is based on our team recalling those client interactions. 

 

At the time of the poll (early April), 71% of clients were observed to still be relying on the CAT. When asked if they were actively working on replacing the CAT, roughly 50% of clients had started to tackle it.  Finally, we asked clients which frameworks they were considering, and while there was a diverse mix, the CRI Cyber Profile did stand out at about 50% of the total, indicating some momentum which would be expected for a financial institution focused framework.  But let’s not assume that the CRI Profile is the right choice for your organization, and let’s take a high-level look at all the frameworks: 

 

NIST Cybersecurity Framework (CSF) 2.0

  • The CSF is comprised of the following elements:
  • CSF Core – A hierarchy of Functions, Categories and Subcategories.
  • In our reports we include the NIST CSF references, as follows: Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), Recover (RC).  
  • CSF Organizational Profiles – describes an institution’s current and/or target cybersecurity posture.
  • Current Profiles reflect the institution’s current Core outcomes.
  • Target Profiles display the institution’s desired outcomes and take into account anticipated changes to the cybersecurity posture.
  • CSF Tiers – Characterizes an institution’s cybersecurity risk governance and management practices.
  • Tiers are broken down into four categories: Partial, Risk-Informed, Repeatable, Adaptive.

 

Cyber Risk Institute’s Cyber Profile v2.1

  • Of all the referenced tools, this one feels the most “CAT-like.”  Excel-based, it starts with a nine-question “Impact Tiering Questionnaire” that subsequently determines if your institution has National/Super-National Impact (Tier 1), Sub-National Impact (Tier 2), Sector Impact (Tier 3), or Localized Impact (Tier 4).  Each step up in tiers results in fewer questions needing to be answered.
  • Once you have determined your institution’s tiering level, you proceed to the Assessment tab, select the proper Target Assessment Level (Tier 1-4), filter on the “To Be Assessed” items, and then answer each question as is relevant to your institution.
  • You will likely notice that despite all the tabs in the CRI Profile worksheet it is really just a prettied-up version of the NIST CSF 2.0 controls.
  • One bonus it offers is an assessment worksheet for Cloud-based assets which is not seen in any of the other frameworks.
  • More information is available here: https://cyberriskinstitute.org/the-profile/ 

 

Center for Internet Security Controls (CIS)

  • This is the last tool referenced in the FFIEC sunset statement.  You may recognize it as the former CIS Top 20 Controls (now CIS Top 18).
  • Like the CRI Cyber Profile, it uses tiering in the form of three Implementation Groups (IG1, IG2, IG3) which are based on the institution’s risk profile.  Unlike the CRI Cyber Profile, the tiering goes down, rather than up.  The lower the tier, the fewer questions that need to be answered.
  • One criticism of the CIS controls is that it does not include any controls specific to risk assessments.  However, there is a separate Risk Assessment Method (CIS RAM) available that assesses risk against the CIS controls.
  • Another criticism of CIS is that it does not include any business continuity controls.
  • More information is available here: https://www.cisecurity.org/controls 

 

CISA Cybersecurity Performance Goals

  • As noted above, the Financial Services SSGs are forthcoming.  However, there is already something of a framework available, which includes the following four primary goals:
  • Information Sharing – sharing of cybersecurity data across industry sectors.
  • Best Practices – use of best practices and common approaches to improve risk management efficacy and information security posture.
  • Incident Response and Recovery – involves collaborating with several federal and state agencies to formulate recovery strategies.
  • Policy Support – initiatives that advance security and resiliency priorities.
  • More on that here: (https://www.cisa.gov/sites/default/files/publications/nipp-ssp-financial-services-2015-508.pdf).  
  • However, it would make sense to keep an eye out for the release of the Financial Services SSG as it is likely to be more comprehensive and more financial services-focused than the current version.
  • Also, CISA is working to align the Cross-Sector Cybersecurity Performance Goals with NIST CSF 2.0.

 

Others

  • There are many third-party tools out there, but because of the uncertainty about whether they will meet FFIEC expectations we will not be covering any of those.

 

So, four pages in and you are probably wondering, “Well, which one should we use?”  The answer is – well, that’s a great question, but there is no easy button.  Each of the tools discussed has its benefits and challenges.  As you have seen, several are based on the NIST CSF 2.0 framework, so maybe it makes sense to simply adopt it?  That depends!  Each institution has different capabilities, varying availability of staff, and different skill levels (I’m looking at you grizzled bookkeepers), which makes it difficult to ascertain which is truly “the best.”  Some may also find that a combination of one or more of these tools is necessary.

 

Without clear guidance from the FFIEC or the regulators, right now it’s a best effort to try to find the tool that benefits your institution the most.  However, what is certain is that as of August 31, 2025, the CAT will no longer be available to download.  And almost just as certain is that September 1, 2025, regulator(s) will likely expect that you’ll have made a decision and adopted one, filled it out to the best of your ability, and they will want to review it as part of your next exam.

 

So, knuckle down, kick some tires, get a feel for which framework (or frameworks) you think best fits your institution’s needs, and decide.  If you find that you’re not pleased with the outcome of the one you chose, you can always try another one.

 

Happy CAT replacement.  And soul searching.

 

Neovera SV (formerly 10-D Security) is an independent firm specializing in IT security and compliance for financial institutions. We help clients mitigate risk and comply with GLBA requirements, offering tailored services and expertise to strengthen cybersecurity programs.

We can help, connect with the SV Team