As of the date of publication, the Cybersecurity Assessment Tool (CAT) is less than one month away from being officially sunset, meaning we have been discussing the CAT’s retirement for almost a year.  We previously published articles looking at the CRI Profile v2.0 and CIS Critical Security Controls as CAT alternatives, and now we want to discuss the National Institute of Standards and Technology’s (NIST) Cyber Security Framework 2.0 (CSF) as an option as well.  With the CSF’s original publication in 2014, and its first major revision in 2024, it has long been considered a gold standard for managing cybersecurity risks, and as you may know, was the basis for the CAT.  This means there are many benefits to implementing the CSF 2.0 over other frameworks, but there are also some drawbacks that should be discussed.

The CAT was built upon the original NIST CSF 1.0, meaning that transitioning to the updated CSF 2.0 is not as big of a shift compared to adopting an entirely new framework.  A lot of the benefits in implementing the CSF 2.0 arise from the fact that the CAT was based on the CSF and that financial institutions are very familiar with its approach to cybersecurity.  Though while the original CSF did form the basis of the CAT, the CAT was tailored to financial institutions.  This means that at a high level, while they shared many similarities, when it got down to the actual statements, the CAT was more descriptive.  And this can be seen with the current CSF as well, which has 106 statements while the CAT has a total of 494 statements. 

One thing we would like to highlight with the update to the new CSF 2.0 is the inclusion of a new top-level category: Govern.  This new function now stands alongside Identify, Protect, Detect, Respond, and Recover as one of the six core pillars of the framework.  This structure ensures that governance—including setting cybersecurity strategy, defining leadership roles, aligning cyber risk with business risk, establishing policies, enforcing oversight, and integrating supply‑chain risk—is elevated, formalized, and embedded into risk management at the highest level.  This is an update we were glad to see as we believe governance should be a top-level domain and incorporated into cybersecurity from the top down.

So, while the main benefits of adopting the NIST CSF 2.0 as a framework result from its previous version being the basis of the CAT, which we’re very familiar with, its main drawbacks also result from this fact.  And that’s because it only formed the basis of the CAT, which was a solid cornerstone without doubt, but much work was put into tailoring it for financial institutions.  The CSF does not include sector specific guidance or controls; the CSF does not care which industry you are in; it is an industry agnostic tool.  And this is where what NIST calls “CSF Organizational Profiles” come in, which they provide a template for to customize the CSF to your organization.  But this template is only an Excel file with all of the CSF statements and columns which you can use to assign priority and status, reference current policies and procedures, define statement tiers, etc.  And while it is good information, it is up to you and your organization to track, define, and implement everything. 

In closing, while the NIST CSF 2.0 offers a familiar foundation for financial institutions transitioning from the FFIEC CAT, it also demands a more proactive and hands-on approach to tailoring the framework to your specific organizational needs. The retirement of the CAT removes a resource that was purpose-built for the financial sector, but it also presents an opportunity to adopt a more flexible, scalable, and governance-focused framework in CSF 2.0. However, institutions must be prepared to invest the time and effort into developing a customized profile that aligns with their regulatory environment and business objectives. The CSF 2.0 provides the building blocks, but it will be up to each institution to design and construct their own cybersecurity program blueprint if they choose the CSF.