During the third quarter of 2025, the Federal Financial Institutions Examination Council (FFIEC) retired the Cybersecurity Assessment Tool (CAT), suggesting that it had become outdated as more modern, adaptable frameworks had emerged. This left many financial institutions assessing solutions to utilize moving forward to evaluate their security controls and needing to make determinations as to what would be best for their institution. With regulatory agency exams always around the corner, one thing is clear: the expectation is that these assessments will continue to be completed annually, including this year. The question our team is often asked regarding this subject is “What is the best solution for my company to utilize?” As with most problems that require solutions, the answer is often not linear and is dependent on your specific environment. Many cybersecurity frameworks, including most notably the National Institute of Standards and Technology (NIST) framework, indicate that their solution can accommodate any organization, but they should not be viewed as a one-size-fits-all.
The essential goal of these security frameworks is to allow a company the opportunity to evaluate where the control environment strengths exist as well as provide a light into areas where controls may not exist or that may not have been previously recognized as areas of necessity and/or priority. With this in mind, where should you start looking? If you are member of a cybersecurity organization, a good starting point would be to check any forums and/or chats that have been started by peers in your industry to identify what they may already be using. There are companies who elected to previously forgo utilizing the FFIEC Cybersecurity Assessment Tool in favor of another option that they were either more familiar with or found more value in. If you are not a member of one of these organizations, I would first check out these organizations and determine whether there’s one that would provide value outside of just providing details on cybersecurity frameworks.
Next, I would consider downloading and reviewing some of the free solutions from recognized authorities in this area, such NIST or Cyber Risk Institute (CRI). It is strongly suggested that you download the accompanying documentation with these solutions to obtain a more comprehensive understanding of what each question is asking, to ensure accuracy when answering the questionnaire. A quick look at these framework workbooks, without a review of the accompanying information, can cause someone to be overwhelmed and not fully understand what is being presented to them. Several frameworks are built from the foundation of the NIST framework, which evaluates controls across six different profile objectives. Other organizations either tailor subcategories or add new categories and control considerations. These frameworks are then tailored with further detail to more accurately align with the expectations of a company in your industry. They may include controls relating to banking and transit.
Additionally, some solutions have tailoring questions as a prerequisite to further hone in. These solutions ask questions that may be beneficial and remove questions that may not be applicable to your institution. Currently, several common risk control areas that exist and require evaluation include, but are not limited to, governance, identification and response, vendor oversight, and data protection. Similarly, these are areas often audited during an IT general computer controls audit, which works as a solid starting point in understanding the foundation of each subcategory. If none of the solutions seems to meet expectations or be tailored to your institution, there are third-party providers that have developed their own proprietary frameworks.
These third parties can be contracted to provide their frameworks and perform an evaluation of your company’s security posture.
The expectations for any chosen solution moving into this year will likely be reminiscent of the first few years of the CAT framework. Management will perform an annual internal assessment of their control environment with their chosen solution. Solutions like the CRI Profile have accompanying mappings to catalogs of several regulations, guidance, issuances, and framework documents from other entities. This includes ties back to the previous FFIEC CAT solution with its maturity levels model, so a company can ensure they are meeting those baseline requirements and potentially some of the evolving criteria, at a minimum. Management should ensure that any entry-level or baseline control that has not been tested or implemented has notes with details of an action plan to remediate these concerns, or other rationale such as detailing compensating controls to mitigate the risk. Additionally, supporting documentation should be retained and compiled into one area, as it is likely that a governing entity will ask for this information. Having supporting documentation already available during governing entity’s review could save the company valuable hours in avoiding answering unnecessary questions.
As technology continues to evolve, it will be necessary to ensure that your organization also downloads the latest version of the framework you chose to utilize. Technologies that include artificial intelligence, as an example, will likely require updates at a more frequent pace. Several interchangeable terms, such as flexible, adaptable, and agile, are often utilized when discussing changes in technology and the rapid rate of change that is occurring. You will need to evaluate your company’s security posture both from an internal control environment perspective and through any third and fourth parties that may assist in providing services. Companies should maintain an understanding of how security is currently being executed and, through tools such as these frameworks, identify opportunities to address existing areas for improvement, as well as new and emerging concerns that will affect your environment moving forward. Maturity goals should be established to identify new possible areas where controls can be implemented, with a roadmap on how to accomplish these goals.
If you have any questions in this area as you move forward with performing your assessment in 2026 and onward, or if you would like assistance in completing an assessment, please contact our team at Snodgrass. We would be happy to discuss this further to help find a solution that works for your institution.
