The FFIEC CAT Is Gone. Now What?

Mar 27, 2026 • 6 min read

community-banks ffiec compliance nist-csf risk-management

If you’ve been using the FFIEC Cybersecurity Assessment Tool to anchor your security program, you already know: it’s gone. The FFIEC officially retired the CAT, and it’s not coming back.

The good news? Your work wasn’t wasted. The bad news? The transition isn’t automatic, and examiners aren’t going to wait while you figure it out.

Here’s what’s actually happening, what your examiners expect, and what to do next.

Why the CAT Got Retired

The CAT was released in 2015. For a lot of community banks, it was the first real cybersecurity self-assessment they’d ever used. It did its job. It got banks thinking about inherent risk profiles and cybersecurity maturity in a structured way.

But it also created some bad habits.

Banks started treating the CAT as the program. Fill in the spreadsheet. Match the maturity level to the risk profile. Show the board. Check the box. Move on.

The FFIEC recognized this. The tool was being used as a compliance artifact, not a risk management process. And the threat landscape had moved well past what a 2015 assessment could capture. Cloud adoption, remote work, AI, third-party ecosystems, ransomware-as-a-service. None of that was on the radar when the CAT was designed.

So they sunset it and pointed the industry toward established frameworks instead.

What Examiners Are Looking For Now

Here’s where most banks get confused. The FFIEC didn’t replace the CAT with a new tool. They said: use a recognized framework. Specifically, they pointed to:

NIST Cybersecurity Framework (CSF) 2.0
CIS Controls (particularly Implementation Group 1 for smaller banks)
The FFIEC IT Examination Handbook (which was always the real standard)

Your examiner is going to want to see that your security program is mapped to one of these. Not just referenced. Mapped. That means you can point to a control in NIST CSF and show what you’re doing to address it, what evidence supports it, and where your gaps are.

The days of “we did the CAT and scored Evolving” are over. Examiners want to see a living security program with clear alignment to a recognized framework.

What This Doesn’t Mean

It doesn’t mean you need to start over.

If you’ve been doing real security work, most of what you’ve built still applies. Access controls, incident response plans, vendor risk assessments, training programs. All of that maps directly to NIST CSF or CIS Controls. You’re not rebuilding. You’re re-labeling and filling gaps.

It also doesn’t mean you need to hire a consulting firm to come in and do a six-month assessment. That might make sense for larger institutions, but if you’re a $2B community bank with a four-person IT team, you need a practical path. Not a project plan that costs more than your annual security budget.

The Practical Transition: Five Steps

1. Pick your framework. For most community banks under $10B, NIST CSF 2.0 is the right choice. It’s what regulators reference most, it maps well to FFIEC expectations, and it has a clear structure (Govern, Identify, Protect, Detect, Respond, Recover). If you’re smaller and want something more prescriptive, CIS Controls IG1 gives you a concrete checklist.

2. Map what you already have. Take your existing controls, policies, and procedures and map them to your chosen framework. You’ll find that 60-70% of what you’ve been doing already fits. The CAT wasn’t useless. It just wasn’t organized the way examiners want to see things now.

3. Identify real gaps. Once you’ve mapped what exists, the gaps become obvious. Common ones for community banks: the Govern function in NIST CSF 2.0 (which is new and covers board oversight, risk strategy, and supply chain), continuous monitoring, and metrics that actually tell you something.

4. Document your risk assessment process. This is the part examiners care about most. Not the tool you used. The process. How do you identify risks? How do you prioritize them? How do you track remediation? If your answer was “we ran the CAT once a year,” that’s what needs to change.

5. Build a roadmap your board can understand. Your board doesn’t need to know the difference between CSF Identify and CSF Protect. They need to know: where are we, where do we need to be, and what’s it going to take to get there. Frame it that way. A clear, one-page maturity summary with a prioritized action plan goes further than a 40-page assessment report.

The New “Govern” Function Matters

NIST CSF 2.0 added a sixth function: Govern. This is worth calling out because it’s new, it’s important, and most banks aren’t doing it well.

Govern covers organizational context, risk management strategy, roles and responsibilities, policies, and oversight. In plain terms: who owns cybersecurity at your bank, how does the board stay informed, and is there a documented strategy that connects security decisions to business risk?

If your board gets a security update once a year during an audit committee meeting, that’s not going to cut it. Examiners are looking for regular reporting, clear accountability, and evidence that security decisions are informed by actual risk, not just whatever the IT director thinks is important.

This is the function where having someone in a CISO role, even part-time, makes a material difference.

Don’t Wait for the Next Exam

The worst time to figure this out is when your examiner asks for it. If you haven’t started the transition yet, start now. Pick the framework. Map what you have. Identify the gaps. Build a plan.

The CAT gave community banks a starting point ten years ago. What comes next should be better: a security program built around your actual risks, aligned to a framework that evolves with the threat landscape, and documented in a way that satisfies examiners and actually protects your institution.

That’s the goal. Not another spreadsheet. A real program.

If your bank needs help making this transition, or you’re not sure where the gaps are, that’s exactly what I help community banks with. I also put together a free Community Bank Security Kit with practical tools to get started.