Cybersecurity Without the Checklist: Adapting to the CAT’s Sunset
By Rob Foxx
2025 is already shaping up to be an unpredictable year for banks. The 2024 announcement of the retirement of the FFIEC Cybersecurity Assessment Tool (CAT), scheduled for August 2025, has been a major concern for IT and information security management.
The advantage of the CAT was its clarity — it clearly stated requirements and allowed institutions to set defined goals based on their maturity level. However, the tool also had significant drawbacks. It was not based on any existing security frameworks — of which there are many — and it had not been updated since its initial publication in 2015. Additionally, many examiners and auditors used it as a rigid checklist without considering that compensating controls, which meet or exceed a given requirement, could be acceptable.
Over the years, variations of the CAT were developed and maintained by industry professionals. Notably, the Automated Cybersecurity Assessment Tool (ACAT) by the Financial Services Sector Coordinating Council (FSSCC) (now discontinued), the Automated Cybersecurity Examination Tool (ACET) developed by the National Credit Union Administration (NCUA), and the Cyber Risk Institute (CRI) Cyber Profile created by the American Bankers Association (ABA), which is still actively maintained and aligned with modern security frameworks.
Your regulatory requirement has always been to evaluate and maintain your cybersecurity posture based on your institution’s risk appetite and goals. Fortunately, several viable options remain available, as long as they provide a repeatable method for assessing cybersecurity posture. However, most alternative tools do not define clear maturity goals as explicitly as the CAT did.
If you preferred the CAT, the CRI Cyber Profile or the ACET by NCUA are logical successors. Both tools maintain a similar format and function. For a more modern approach that moves away from Excel spreadsheets, CISA’s Cyber Security Evaluation Tool (CSET) is a compelling alternative. It is a free, standalone application that allows multiple contributors, document attachment for evidence, and references source materials for clarity. It also integrates with the NIST Cybersecurity Framework (CSF) and CIS Controls Version 8, which FIPCO IT Audit Services has been recommending for years. CSET additionally offers CISA’s Ransomware Readiness Assessment (RRA), a strong alternative to the Ransomware Self-Assessment Tool (R-SAT). For those seeking a more comprehensive evaluation, CSET provides full IT and information security risk assessments, not just cybersecurity-focused ones. Other acceptable frameworks exist, including paid solutions from IT management providers and specialized risk and security firms.
While change can be challenging, it is not inherently negative. The world has evolved over the past decade and so have cybersecurity threats and the controls used to mitigate them. Adapting how we assess and manage security posture is long overdue.
Consider your options carefully. Although the CAT is being retired, full adoption of a replacement tool is unlikely to be required immediately by August 2025. Now is the time to explore new solutions and ensure your institution remains secure and compliant.
Foxx is director – infosec and IT audit services for FIPCO, a WBA Gold Associate Member.
