FFIEC is Sunsetting the CAT

Introduction

With the advancement of technology continuously moving forward, resources and tools become obsolete over time. Recently, the Federal Financial Institutions Examination Council, or FFIEC, announced that they will be sunsetting their free cybersecurity tool. The Cybersecurity Assessment Tool, or CAT, is being taken down from the FFIEC website and being sunset on August 31, 2025.

Because technology is evolving each day, there are more resources and more advances that are required to combat bad actors. They are using their own tools to bypass these defenses, but the FFIEC has provided the CAT in order to mitigate some of these vulnerabilities and attacks. However, with the sunsetting of the CAT, other resources will be needed, especially for smaller establishments and businesses.

What was the CAT?

The Cybersecurity Assessment Tool is a free assessment tool that financial institutions can use to determine cybersecurity preparedness and find vulnerabilities and risks. It contains two parts, those being Inherent Risk Profile and Cybersecurity Maturity. However, since cybersecurity is becoming more advanced, the FFIEC has decided not to update it to cover more recent cyber concerns. It has become outdated and it can’t keep up with the current government regulations.

Alternatives to the CAT

Despite the CAT being sunset, there are plenty of other resources that can be used to assist with your business’s cybersecurity needs. Some are free, but some are not. While the paid alternatives are always going to be better than free tools, they can still help in the long run.

NIST Cybersecurity Framework 2.0

This National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a resource made by the NIST that goes over six basic functions: govern, identify, protect, detect, respond, and recover. NIST 2.0 is becoming the new standard across the United States.

Regardless of an organization’s size, this framework is designed for all types. It provides guidance much of the same as the CAT, including reducing cybersecurity risk. However, the CSF is not a one-size-fits-all solution and is not specific to financial institutions.

While the NIST CSF isn’t an assessment tool, it does provide resources for additional assistance if need be. The government provides many different tools to assist businesses with their cybersecurity posture, including informative references, implementation examples, quick-start guides, and even templates.

CISA Cybersecurity Performance Goals

Each year, the Cybersecurity and Infrastructure Security Agency (CISA) puts out Cybersecurity Performance Goals (CPGs) for businesses to follow. They are a set of critical security practices that should be a baseline for businesses and organizations. Containing benchmarks for each sector of any business, it is a thorough and important resource to use when it comes to cybersecurity. It also follows NIST’s six CSF functions.

The CPGs are meant to improve cybersecurity infrastructure and maturity, recommend practices for technology and operations, and they intend to be unique from other frameworks. All of these practices will mitigate risk and lower vulnerability of the business or organization. Further, there are sector-specific cybersecurity performance goals as well.

Third-Party Cybersecurity Firm

The most effective thing to improve your cybersecurity posture is to hire a third-party cybersecurity firm to test and audit your information technology networks and controls. Even though it does cost money, an information security company can not only improve your company’s cybersecurity, but it can also help with government regulations. Simple tests like vulnerability scanning can be relatively cheap, so there’s no reason to put it off.

There are even cybersecurity firms that can provide cost-effective services that fit the size of a business or organization. With a few scoping questions, an information security firm can provide a suitable action plan or roadmap in order to get the business fully protected with excellent cybersecurity posture. A little bit of testing can go a long way when it comes to protecting your clients and business.

Conclusion

On August 31, 2025, the FFIEC will be sunsetting the free Cybersecurity Assessment Tool it has had for years. They will be taking it off the website and no longer update the tool. Instead, they have provided alternative resources like the NIST’s Cybersecurity Framework 2.0 and CISA’s yearly Cybersecurity Performance Goals. Within these resources, there are additional resources to help organizations and businesses improve their cybersecurity maturity and lessen their risks.

However, aside from the free options, there is also the choice to hire a third-party cybersecurity firm in order to protect your business. While some services can be expensive, the information security company should build a service plan that works for the business. Smaller organizations like credit unions and banks can take advantage of a lot of benefits if a cybersecurity firm shapes their roadmap.