SR 24-7:

FFIEC Cybersecurity Assessment Tool Sunset Statement

BOARD OF GOVERNORS
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF
SUPERVISION AND REGULATION

SR 24-7
November 22, 2024

TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK

SUBJECT:

FFIEC Cybersecurity Assessment Tool Sunset Statement

Applicability:  This letter applies to financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.

The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued a statement on August 29, 2024, to communicate the sunset of the Cybersecurity Assessment Tool (CAT) in August 2025 (Statement). In light of new government resources available to financial institutions, the CAT will no longer be updated and will be removed from the FFIEC website on August 31, 2025.

As background, the CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks. As outlined in the Statement, these resources include the National Institute of Standards and Technology Cybersecurity Framework 2.0, the Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals, the Cyber Risk Institute’s Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, and leading practices) to better address and inform management of continuously evolving cybersecurity risk.

The Federal Reserve does not endorse any particular cybersecurity self-assessment tool. Supervised financial institutions should ensure that any self-assessment tool(s) they utilize supports an effective control environment and is commensurate with their risk.

The use of widely available tools aligned with industry standards and best practices can also support financial institutions in their discussions with supervisors. However, cybersecurity risk continuously evolves, and examiners may address areas not covered by all tools at a point in time. The Federal Reserve takes a risk-focused examination approach that relies on an understanding of the financial institution, the performance of risk assessments, the development of a supervisory plan or examination scope, and examination procedures tailored to the financial institution’s risk profile.

Reserve Banks are asked to distribute this letter to the supervised financial institutions in their districts and to appropriate supervisory staff. In addition, financial institutions may submit questions via the Board’s public website.1

signed by

Michael S. Gibson
Division of
Supervision and Regulation

Supersedes:
  • SR letter 15-9, “FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors”

Back to Top
Last Update: November 22, 2024