IT Examiner School eBook May 2025

Internal Use Only

FFIEC CAT Tool

Internal Use Only

Cybersecurity Assessment Tool (CAT) • The FFIEC developed the CAT to help institutions to identify their cyber and IT security risks and determine their cybersecurity maturity. • Institutions were required to assess their inherent risk levels and domain maturities as defined by the CAT. • In late 2024, the it was announced that the CAT was being sunset by August 2025. • Institutions are still required to assess their cybersecurity posture using a formal methodology. Example methodologies include third party assessments, and resources from NIST. • On February 26, 2024, NIST released the NIST Cybersecurity Framework (CSF) 2.0. The framework is a good reference when assessing cybersecurity.