A Road Map to a New Cybersecurity Framework

For nearly a decade, the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) provided a standardized approach to assessing cybersecurity maturity across the financial sector. It was widely appreciated for its clarity, and for once, all institutions — no matter the size — were working from the same playbook.

With its retirement in August 2025, institutions are now confronted with a more complex landscape. Unlike the CAT, which was mandated across the board, the next phase requires banks to choose among several frameworks. This freedom comes with greater flexibility, alignment with risk appetite and scalability. But it also has its own challenges. Many institutions are experiencing decision fatigue, unsure which framework best fits their size, complexity and the current regulatory environment.

By taking a practical, phased approach, banks can meet examiner expectations and strengthen their long-term resilience.

Step 1: Discuss Alternatives With a Cybersecurity Governance Committee
Transitioning frameworks isn’t a one-person task. Key factors can help with this new strategic direction, such as defining cybersecurity objectives aligned with business strategy and evaluating current maturity levels based on CAT results. Cultural fit is also a critical deciding factor. Some frameworks are highly prescriptive while others are more flexible. The right choice depends on the institution’s risk culture and management style.

These candid discussions about goals and vision for additional framework utilization help ensure the tool selected provides the greatest value. Regulators will continue to expect annual self-assessments of the organization’s cybersecurity control environment. Management should be comfortable leading discussions on which framework was chosen, why it was chosen and how it aligns with the bank’s risks and strategic vision.

Step 2: Select a Framework That Aligns With Institutional Risk Profile
Framework selection should be guided by the institution’s size, complexity and risk appetite. The key isn’t to chase the perfect framework but to select one that aligns with the institution’s risk profile, resources, and strategic goals. We’ve outlined a few key benefits and gaps to consider when selecting a framework.

Step 3: Map Existing Controls to the New Framework
Management that’s comfortable with existing CAT assessment results, rather than starting from scratch, can map their existing CAT-based controls to the selected framework. Many frameworks offer mapping guides or crosswalks to facilitate this process, which helps preserve institutional knowledge and accelerates implementation.

From discussions with multiple teams, many banks have also appreciated the opportunity for a fresh start and begun the new framework assessment with a clean slate. Both approaches are valid, provided they’re well-documented and communicated to the board and examiners.

Once mapping is complete, management should identify where controls fall short of the new framework’s requirements. Gaps should be categorized by risk impact and regulatory significance, which can form the foundation for prioritizing remediation efforts and demonstrate that management is approaching the transition strategically.

Step 4: Continuing to Integrate Cybersecurity Into Enterprise Risk Management
Examiners expect cybersecurity to be integrated into enterprise risk management (ERM). The CRI Profile, for example, directly maps to FFIEC handbooks on business continuity, third-party risk and information security. Demonstrating these connections shows regulators that cybersecurity isn’t siloed but embedded in the institution’s broader governance and strategic planning.

Along these lines, management can also continue to use assessment results to inform strategic planning, budgeting and staffing plans. As implementation progresses, framework prioritization efforts can also evolve. Certain cybersecurity frameworks are designed to scale over time, offering defined levels or tiers that allow institutions to progressively strengthen their control environments as their risk appetite, size  and complexity evolve. These tiers, such as those in the CRI profile, or Implementation Groups (IG) 1-3 in CIS, allow institutions to move from foundational practices to more advanced and comprehensive controls.

The Path to Long-Term Resilience
The sunset of the FFIEC CAT marked a turning point in how banks approach cybersecurity. While the transition may feel daunting, it’s an opportunity to adopt frameworks that are more flexible, risk-aligned and forward-looking.

By following a phased road map — beginning with governance discussions, selecting the right framework, mapping existing controls, integrating cybersecurity into ERM, emphasizing continuous monitoring and communicating with stakeholders — banks can satisfy regulatory expectations and strengthen their ability to manage evolving threats.

The transition isn’t merely a compliance exercise. It’s a strategic investment that positions institutions to thrive in an increasingly complex cyber landscape.