The Federal Financial Institutions Examination Council (FFIEC) has announced the sunsetting of its Cybersecurity Assessment Tool (CAT) framework. In alignment with this change, the FFIEC framework will be deprecated in the Apptega Platform on September 4, 2025.
The FFIEC Cybersecurity Assessment Tool, first released in 2015, was designed to help financial institutions measure inherent risks and assess cybersecurity maturity. While it has served as a widely used resource, the FFIEC has decided to sunset the tool and shift focus toward more flexible, modernized frameworks that reflect today’s cybersecurity and regulatory landscape.
Alternatives Recommended by the FFIEC
Although the FFIEC is retiring the CAT, it has directed institutions to consider transitioning to other established frameworks that provide more current and adaptable approaches to cybersecurity and compliance. Recommended alternatives include:
- NIST Cybersecurity Framework (CSF) 2.0 – A flexible and widely recognized framework designed to address evolving cyber threats and risk management practices.
- CIS Controls – A prescriptive and prioritized set of cybersecurity best practices that can complement or serve as a standalone framework.
What This Means in Apptega
- Beginning September 4, 2025, the FFIEC framework will be deprecated in the Apptega Platform, meaning it will no longer be available as a supported option for creating new programs.
- Any programs already created using the FFIEC framework will remain accessible in customer environments, but they will not receive future updates, maintenance, or Apptega support.
- Customers with specific internal needs for the FFIEC framework may request that it be uploaded into their tenant. In these cases, as with existing FFIEC-based programs, the framework will be provided as-is without support.
Strategic Next Steps for Customers
Apptega already provides full support for both NIST CSF 2.0 and CIS Controls, enabling customers to make a seamless transition to these recommended alternatives within the platform. By leveraging these actively supported frameworks, organizations can ensure continued alignment with regulatory expectations, access to ongoing updates, and the benefit of Apptega’s customer support.
Framework Comparison: FFIEC CAT vs. NIST CSF vs. CIS Controls
Feature / Focus Area | FFIEC CAT | NIST CSF 2.0 | CIS Controls |
|---|
Primary Purpose | Assess inherent risk and measure cybersecurity maturity for financial institutions | Flexible framework for managing and reducing cybersecurity risk across all sectors | Prescriptive set of prioritized technical and operational security practices |
Industry Scope | Financial sector (banks, credit unions, examiners) | All industries, cross-sector | All industries, with emphasis on practical, technical control implementation |
Structure | Inherent risk profile + maturity domains | Five Core Functions (Identify, Protect, Detect, Respond, Recover) | 18 prioritized controls across organizational, technical, and operational domains |
Regulatory Alignment | Tailored to financial examiners | Mapped to global standards (ISO, COBIT, CIS, etc.) | Mapped to NIST CSF, ISO, PCI DSS, and other frameworks |
Update Status | Sunset by FFIEC, no further updates planned | Actively updated (latest version CSF 2.0 released 2024) | Actively updated (latest version CIS v8 released 2021) |
Complexity / Flexibility | Structured and specific to financial institutions | Highly flexible, adaptable to organization size and risk profile | Prescriptive and actionable, ideal for technical teams and baseline security |
Support in Apptega | Deprecated as of September 4, 2025 | Fully supported | Fully supported |
