By Noah Lennon, CCSP, CISA; consultant, Anthony Kniss; IT Manager, and Brian Kienzle, CISSP, OSCP; senior consultant Young & Associates

The Federal Financial Institutions Examination Council (FFIEC) retired the Cybersecurity Assessment Tool (CAT) on August 31, 2025, citing progress as the rationale for the change.

While acknowledging that the security controls within the CAT remain fundamentally sound, the Council has determined that, “Several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.”

The tool that we are seeing most prominently to succeed the CAT is the Cyber Risk Institute’s CRI Profile. This tool is based on the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) 2.0. The CRI Profile was developed specifically with financial institutions in mind, including additional considerations such as core processing, online/mobile banking, and third-party risk management.

This decision signals a coordinated, whole-of-government effort to enhance security and resilience across all critical infrastructure sectors, including finance. This shift encourages institutions to move from a proprietary assessment tools to nationally recognized standards.

New Reference Point: NIST SF

The NIST Cybersecurity Framework is a set of cybersecurity practices for IT, prioritized for risk reduction. While the CSF if applicable across all critical infrastructure sectors, other frameworks such as the CRI Profile and the upcoming CISA CPGs for financial services have adapted it to align with the regulatory requirements of the financial sector.

For small and midsize institutions with limited resources, a prioritized baseline for cybersecurity is invaluable. The NIST CSF helps cut through complex control lists and guide leadership to focus on the most effective actions first. The outcomes in the framework form a security baseline, representing the essential practices every critical infrastructure entity should adopt. NIST based these outcomes on their demonstrated ability to reduce risk from the most significant and frequent threats.

By establishing this foundational baseline, institutions can ensure they have addressed their most pressing information security threats. The next step is to integrate this baseline into a more comprehensive program structure, a role filled by the CRI Profile.

Building a Mature Program: The CRI Profile

While CPGs offers immediate, actionable steps, the CRI Profile, based heavily on the NIST CSF 2.0, provides the full structure needed to create a sustainable, risk-based cybersecurity program that addresses both operational and strategic needs.

• Holistic Risk Management: The CRI Profile provides guidance and a taxonomy of high-level cybersecurity outcomes applicable to any organization, regardless of its size, sector, or maturity. Organizations can leverage the CRI Profile to build a holistic risk management program.
• The Seven Functions: The CRI Profile Core is organized into seven functions, as depicted in Fig. 1.
• Resources for Smaller Organizations: The CRI Profile includes features emphasizing governance and supply chains. Critically for CFIs, the Cyber Risk Institute provides a Guidebook that distill specific portions of the Profile into actionable “first steps” to help ensure the Profile is relevant and readily accessible by smaller organizations.
• Mapping: Every security practice in the Profile is mapped to a corresponding subcategory in the NIST CSF. This helps to provide assurance that the practices are mature and peer-reviewed by cybersecurity professionals across all industries.

Other Applicable Resources

In addition to the NIST CSF and CRI Profile, supervised financial institutions may also use industry-developed tools like the CISA CPGs or CIS Security Controls.

Community financial institutions must ensure their self-assessment tool supports an effective control environment and matches their risk. Standardized tools can help with self-assessments, but FFIEC members focus on a risk-based approach during examinations. As cyber threats evolve, examiners may review areas not covered by all tools.

Aligning with the FFIEC Audit Framework, the following table maps key FFIEC audit expectations to the specific solutions provided by this integrated framework approach.

Aligning with new frameworks proves the transition from the CAT is not a break from FFIEC principles, but a deeper commitment to them using more effective tools. This change helps build a defensible cybersecurity program grounded in the same language and standards as expected by regulators. Adopting these frameworks is a strategic step to reduce risk and improve governance across the institution.

Moving Beyond Compliance to Resilience

The withdrawal of the FFIEC CAT marks a pivotal and positive development for community financial institutions. This change empowers organizations to employ tools that are actively maintained and more aligned with the modern threat landscape.

Young & Associates offers IT audit expertise to help financial institutions navigate the transition from the FFIEC CAT. Our team supports effective control assessments and alignment with current regulatory frameworks to strengthen cybersecurity programs and governance. Reach out today to have our experts help your institution navigate this change.