As we should all know at this time, financial institutions are faced with selecting a replacement framework that can help them continue to manage cyber risk effectively.  The FFIEC’s sunsetting statement named four possible alternatives: the NIST Cybersecurity Framework 2.0, the CRI Profile 2.0, the CIS Critical Security Controls, and CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs).  In this final article of our four-part series where we have now discussed all four noted alternatives, we will focus on the CISA’s cross sector CPGs and their potential role as a replacement for the CAT.

The CPGs were specifically referred to in the FFIEC’s announcement as an option for financial institutions, which makes them particularly noteworthy.  Developed by CISA, the CPGs are intended to capture a “core set of cybersecurity practices with known risk-reduction value broadly applicable across sectors.”  In other words, while not as comprehensive as some of the other frameworks, the CPGs emphasize practices that yield measurable improvements in cybersecurity resilience.  For smaller banks with limited resources, this prioritization can provide a practical, risk-reduction focused path towards cybersecurity.

That said, institutions must be aware of certain limitations when considering the CPGs.  Unlike the NIST CSF 2.0 or the CRI Profile, the CPGs do not include the function of Govern as a top-level category.  This means institutions may find gaps in areas such as board-level oversight, strategic governance, and aligning cyber risk with business risk.   For institutions already under significant governance expectations from regulators, this could require supplementing the CPGs with additional governance-focused controls or pairing them with another framework. 

Also, the CAT provided quantitative measurement, maturity levels from baseline to innovative, allowing institutions to track improvement over time and benchmark against peers.  The CPGs have no scoring, tiers, or maturity levels, so institutions cannot easily demonstrate progress or justify their control posture to auditors or regulators.  This lack of measurability limits its usefulness as a primary self-assessment tool.

Looking ahead, the CPGs may become even more relevant to financial institutions though. CISA has announced that sector-specific goals for the financial sector are being developed and are slated for release in the winter of 2025.  These sector-specific CPGs are expected to provide more tailored guidance that addresses the unique regulatory and operational environment of financial institutions.  For institutions considering adoption now, this means there may be a natural path toward greater specificity and alignment with examiner expectations in the near future.

In conclusion, while the CPGs are not a one-for-one replacement for the FFIEC CAT, they provide a solid foundation of prioritized, risk-reduction practices.  Their inclusion in the FFIEC’s sunsetting document signals that regulators see value in them, especially for institutions looking for a practical and widely applicable set of goals.  However, community banks should be prepared to address governance gaps and plan for the upcoming sector-specific release to ensure they remain aligned with regulatory expectations. With the retirement of the CAT, institutions must proactively evaluate all available alternatives, and for some, the CPGs may serve as a cost-effective and risk-based option—especially when paired with additional governance processes.