Best Practices

FFIEC Sunsets The Cybersecurity Assessment Tool (CAT)

Reading time: 5 Minutes Read
Jonny Gold
Updated on: September 16, 2025
FFIEC Sunsets The Cybersecurity Assessment Tool (CAT)

Steps Your Organization Should Take Now

The  Federal Financial Institutions Examination Council (FFIEC) retired its Cybersecurity Assessment Tool (CAT) on August 31, 2025. This self-assessment resource, used by financial institutions to gauge cybersecurity risk and readiness, won’t be updated going forward.

The FFIEC launched CAT in 2015 to help organizations measure their exposure to risk and assess their cyber preparedness. Since CAT’s launch in 2015, the US Government and Industry Standards bodies have created a new generation of cybersecurity frameworks and resources like NIST CSF 2.0 and CISA’s Cybersecurity Performance Goals. 

In 2024, the FFIEC began recommending the adoption of these newer frameworks and announced its intention to sunset CAT and remove it from their website. 

Here’s what this announcement means for your organization and which tools are best to move forward with instead. 

What you will learn

  • What is FFEIC CAT
  • Why FFEIC is retiring CAT
  • Which frameworks are available to replace CAT
  • The tools you can use instead of CAT
  • How CalCom can help you

Adopting New Frameworks

FFIEC said that a significant factor in its decision was the release of newer cybersecurity frameworks created by the two US government bodies, NIST and CISA. 

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). CSF 2.0 was created to meet the cybersecurity needs of organizations from the smallest non-profit to medium-sized enterprises to national governments. CSF is designed to manage every type of risk, including finance, privacy, and technology. It details the clear security outcomes and who is responsible for achieving them within an organization and outlines a flexible approach that can be customized to meet the risks and threats facing financial institutions. 

In parallel with CSF, FFIEC recommends using the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals (CPG). These provide practices for building baselines to measure risk and protect critical infrastructure. In Q4 2025, CISA is set to release a revised CPG version tailored for the financial sector to help institutions align their security planning with CSF 2.0, benchmark practices against federal standards, and manage cybersecurity threats.

FFIEC also recommends the Center for Internet Security (CIS) Controls. CIS is an IT Industry body that sets standards for cybersecurity. CIS controls are a comprehensive set of resources that include guidance, controls, and documents that can help you at every step in the process. To help you with the process, you can download this spreadsheet that maps CAT to CIS Controls.

Deploying New Tools

While CAT rides off into the sunset, its close cousin remains open for business. Despite the FFIEC’s announcement, the National Credit Union Administration (NCUA) has no intention of shuttering its Automated Cybersecurity Examination Tool (ACET). It will continue to develop and support the tool for the foreseeable future. NCUA has plans to extend ACET to support other frameworks, such as CSF 2.0. ACET shares many similarities with CAT and offers additional reporting capabilities. Although intended as a tool for federally regulated credit unions, it is suitable for use by a wide range of institutions, including banks and non-financial institutions. 

In addition to ACET, you can try out the CIS Controls Self Assessment Tool (CIS CSAT Pro). CSAT Pro tracks resources and manages their deployment. Not only does it help you implement your security roadmap, but you can also use it to upload and share resources, such as documents, files, and policies. The tool is designed for use in both external and internal auditing processes, enabling you to measure your progress against industry standards. Unlike ACET, CSAT is only available to CIS members.

Key Takeaways

  • FFIEC Cybersecurity Assessment Tool (CAT) retired at the end of August 2025. FFIEC will no longer update or support the tool.
  • FFIEC suggests migrating to NIST CSF 2.0, CISA CPGs, and CIS Controls instead.
  • A tailored CPG version for the financial industry is expected in Q4 2025 to align with CSF 2.0.
  • ACET continues to be supported and may expand to include CSF 2.0.
  • It’s essential to have a transition plan and begin migrating your risk assessment and processes.

Moving Forward

For regulated industries, like personal finance, dealing with cybersecurity can feel like being between a hammer and an anvil. The hammer is the relentless pace of industry change and the constant onslaught of new threats. The anvil is subject to strict regulations. In this environment, any tool that helps you through the process is welcome. For the decade it existed, CAT provided welcome assistance to US banks, credit unions, and the financial services industry. Those who depended on it will miss it. However, new times call for new measures, and as we have demonstrated, there are good resources that will fill the vacuum left by CAT. These tools, such as CSF, CIG, ACET, and CSAT, can do the things that CAT did and much more besides. By sunsetting CAT, FFIEC has paved the way for organizations to implement dynamic and comprehensive risk management, prevention, and mitigation strategies.

How CalCom Can Help You

Even with the tools and frameworks discussed in the posts, implementing your cybersecurity strategy, complying with federal regulations, and deploying server hardening baselines will involve implementing manual processes. Manually hardening systems is a complex, time-consuming process that is prone to errors. IT teams must carefully assess dependencies, test configurations, and continuously monitor for drift, all while balancing other operational priorities. 

CalCom’s Hardening Suite (CHS) is a baseline hardening solution designed to address the needs of IT operations and security teams. CHS significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment. CHS’s automated process simulates the effect of a change in a production environment, thus saving the need for testing changes in a lab environment. CHS enables you to:

  • Deploy security baselines without affecting the production services.
  • Reduce the costs and resources for implementing compliance.
  • Manage hardening baselines for your entire infrastructure from a single point.
  • Avoid configuration drifts and repeated hardening processes.

To learn more, go to our resources page and download our datasheets and white papers. 

FAQs

What is the Cybersecurity Assessment Tool (CAT)
The  Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) help organizations measure their exposure to risk and assess their cyber preparedness.
Why is CAT being retired?
CAT has not kept pace with the evolving cybersecurity landscape. The FFIEC is shifting focus to align institutions with industry-recognized frameworks like NIST Cybersecurity Framework (CSF) and others that better address today’s threats.
How will this change affect financial institutions?
Institutions that relied on the CAT for regulatory alignment and internal assessments will need to transition to alternative frameworks. Examiners may expect to see evidence of risk management practices mapped to NIST CSF or other standards.
What steps should organizations take now?
Automated solutions simplify framework mapping, reduce manual effort, and ensure continuous compliance for audits.
What are the advantages of CalCom's automated hardening solution
CHS is a hardening solution that automates baseline enforcement, simulates changes before deployment, prevents configuration drift, and reduces manual hardening errors.
Jonny Gold
Jonathan Gold has over twenty-five years of experience working in the software industry. Over his career, he has worked in documentation, support, software development, content creation, and marketing. He has also worked in large enterprises, medium-sized businesses, and startups, in a diverse range of market sectors, including enterprise software, cybersecurity, and fintech.

Related Articles

SMBv3 wormable vulnerability
News

SMBv3 wormable vulnerability

Reading time: 2 Minutes Read
Devices: Allow Undock Without Having to Log On
News

Devices: Allow Undock Without Having to Log On

Reading time: 5 Minutes Read
Audit: Force audit policy subcategory settings
News

Audit: Force audit policy subcategory settings

Reading time: 5 Minutes Read

About Us

Established in 2001, CalCom is the leading provider of server hardening solutions that help organizations address the rapidly changing security landscape, threats, and regulations. CalCom Hardening Suite (CHS) is a security baseline hardening solution that eliminates outages, reduces operational costs, and ensures a resilient, constantly hardened, and monitored server environment.

More about us
Background Shape
About Us

Our Solutions to Strengthen Your Security Posture

CalCom Hardening Suite (CHS)
CalCom Hardening
Suite (CHS)
Secure IIS Server Hardening with CSS
Secure IIS Server
Hardening with CSS
Server Audit & Compliance Analysis Software
Server Audit & Compliance
Analysis Software

Stay Ahead with Our Newsletter

Get the latest insights, security tips, and exclusive resources straight to your inbox every month.

    Explore More Insights & Solutions

    Visit Our Resource Center
    Visit Our Resource Center

    In-depth guides, reports & webinars

    Read Our Latest Blog Posts
    Read Our Latest Blog Posts

    Stay updated with industry insights

    Ready to simplify compliance?

    See automated compliance in action—book your demo today!

    Get a Demo