As the date of the FFIEC’s CAT retirement keeps drawing nearer, we want to discuss the different options there are to replace it. The retirement means we will need to select a new tool to identify cybersecurity risks and assess our cybersecurity preparedness. Managing cybersecurity is no small feat in 2025, as technology, and bad actors, are constantly changing.  To address these changes, one of the many options we’re looking at is the Center for Internet Security’s (CIS) Critical Security Controls. As stated by CIS, the controls are “a prescriptive, prioritized, and simplified set of best practices that you can use to strengthen your cybersecurity posture.”

One reason to look at the CIS Critical Security Controls over other options is that it is updated more frequently compared to others. The CAT, and many other options to replace it, are based on National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) which was originally released in 2014. NIST’s CSF was then updated in 2024, and it was at this time that the FFIEC decided not to update the CAT but instead to refer to new government resources and other industry developed resources to replace it. This included NIST’s CSF v2 and other tools based on it such as the Cyber Risk Institute’s (CRI) Cyber Profile. While this was a great update, these tools are only being updated to reflect the changes in the NIST CSF, now to version 2. This means these tools (including the CAT) were not really updated for 10 years, and a lot has changed in 10 years. CIS on the other hand, since the CAT and NIST CSF 1 were released, has updated the Critical Security Controls five times. This tool is therefore better at staying on top of current and emerging threats.

Another positive for the Critical Security Controls for small and mid-sized financial institutions is that they offer a simpler, more actionable, and prioritized alternative to the FFIEC Cybersecurity Assessment Tool. The controls are simpler in that there are a total of 153 controls organized into three Implementation Groups (IGs) based on organizational size, risk profile, and available resources. This is a dramatic reduction in total controls compared to the CAT and it’s five domains. This means that the controls can be better prioritized and implemented based on your size, risk, and resources. Each control is also very specific, with the workbook providing detailed descriptions of what to implement to address cybersecurity risk, allowing for easier understanding and implementation of specific controls.

Another strength of the Critical Security Controls, and many of the other options as well, is that it is mapped to other frameworks such as the FFIEC CAT.  While we always recommend reviewing all of the control statements when implementing a new cybersecurity framework, it will be easier to assess where you are at if you can compare it to the old framework.  When implemented the Critical Security Controls, the CAT mapping provides a great starting point to assess which controls you already have in place.  While again, we do recommend you review all of the controls, less review will be needed for controls you have had in place for many years.

While there are many options when it comes to replacing the CAT, the Critical Security Controls is a strong contender.  These controls were not only suggested as an alternative by the FFIEC, but have their own strengths when compared to other options, such as the frequency of update, number of controls that are included, as well as their mappings to other frameworks and guidance.  By leveraging a controls framework that is operationally focused and widely accepted, institutions can not only strengthen their security posture but also satisfy regulatory scrutiny with less overhead.