Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2024-25 | August 29, 2024

Cybersecurity: FFIEC Cybersecurity Assessment Tool Sunset Statement

To

Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties

Summary

The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, is issuing this statement to communicate that the FFIEC will sunset the Cybersecurity Assessment Tool (CAT)2 on August 31, 2025.

Note for Community Bank

This statement applies to all OCC-supervised institutions.

Highlights

This statement

  • describes that the FFIEC will remove the CAT from the FFIEC website on August 31, 2025.
  • discusses that the FFIEC plans to host a webinar on new and updated government and industry resources that financial institutions can use to better manage cybersecurity risks. The webinar for bankers is scheduled to be held Thursday, October 17, 2024, and will be announced via BankNet.

Background

The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.

After much consideration, the FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Supervised financial institutions can instead refer directly to these new government resources. CISA released Cross-Sector Cybersecurity Performance Goals in 2023 and is preparing to release Cybersecurity Performance Goals for the Financial Sector later this year. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.

Further Information

Please contact Patrick J. Kelly, Director for Critical Infrastructure Policy, Operational Risk Division, at (202) 649-6550.

 

Grovetta D. Gardineer
Senior Deputy Comptroller for Bank Supervision Policy

Related Links

1 The FFIEC members are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee.

2 The National Credit Union Administration will continue to support and encourage credit unions to use the Automated Cybersecurity Examination Tool (NCUA ACET), derived from the FFIEC CAT.

Topic(s):