In This Article
On August 31, 2025, the FFIEC retired its Cybersecurity Assessment Tool. If your institution is still referencing CAT maturity levels in board reports, your next examiner will notice. The tool that defined cybersecurity assessments for a decade is gone, and the replacement framework demands a fundamentally different approach to how you measure, document, and govern cyber risk.
The successor is NIST CSF 2.0, published February 26, 2024. It introduces a sixth core function that did not exist when most financial institutions built their cybersecurity programs. That function, Govern, explicitly requires board-level oversight, risk appetite documentation, and supply chain risk management. Most institutions have not added it yet.
For credit unions, community banks, and mortgage companies, the gap between "we used CAT" and "we're aligned to CSF 2.0" is wider than a one-to-one mapping exercise. The institutions that treat this as a checkbox migration will walk into their next exam with exactly the documentation gaps examiners are trained to find.
75% of financial institutions have selected NIST CSF as their replacement framework for the retired FFIEC CAT. However, fewer than 30% have completed the transition, leaving the majority in a documentation gap between retired and adopted frameworks.
What Changed: FFIEC CAT Is Officially Retired
The OCC issued Bulletin 2024-25 on August 29, 2024, formally rescinding the FFIEC Cybersecurity Assessment Tool. This was not a deprecation notice or a soft sunset. The bulletin explicitly states that examiners will no longer use CAT to evaluate cybersecurity preparedness. The FDIC, NCUA, and other FFIEC member agencies followed with parallel guidance directing institutions to adopt an industry-standard framework.
The CAT had been the default assessment tool since 2015. It grouped cybersecurity maturity into five levels (Baseline, Evolving, Intermediate, Advanced, Innovative) across five domains. Examiners used it to benchmark institutions, and most IT teams built their documentation around its structure.
The OCC rescinds its support for the FFIEC Cybersecurity Assessment Tool. Banks should use any industry-standard cybersecurity framework appropriate for their risk profile, such as the NIST Cybersecurity Framework, to assess and improve their cybersecurity posture.
The bulletin gives institutions flexibility to choose their framework. In practice, NIST CSF 2.0 has become the default. The FFIEC's own guidance references NIST CSF directly, and examiners are being trained on its structure. Choosing a different framework is technically permitted, but choosing CSF 2.0 means your documentation language matches what your examiner already knows.
The critical point: your old CAT results are not evidence of current cybersecurity maturity. An institution that scored "Intermediate" on the CAT in 2024 cannot carry that designation forward. The frameworks measure different things, and examiners know it.
NIST CSF 2.0: The Six Functions Your Examiner Now Expects
NIST CSF 1.1 had five core functions: Identify, Protect, Detect, Respond, and Recover. Version 2.0, published February 26, 2024, adds a sixth: Govern. This is not a minor addition. The Govern function sits at the center of the framework and touches every other function. It requires documented board oversight, defined risk appetite, established roles and responsibilities, and formal policies covering cybersecurity supply chain risk.
| CSF 2.0 Function | Categories | What Examiners Look For | Common Gap |
|---|---|---|---|
| Govern (GV) | 6 | Board-approved policies, risk appetite, supply chain oversight, roles defined | Missing entirely |
| Identify (ID) | 3 | Asset inventory, risk assessments, business environment documentation | Incomplete asset inventory |
| Protect (PR) | 5 | Access controls, awareness training, data security, platform security | No sensitivity labels |
| Detect (DE) | 2 | Continuous monitoring, anomaly detection, event analysis | Point-in-time only |
| Respond (RS) | 4 | Incident response plans, communications, analysis, mitigation | Outdated IR playbooks |
| Recover (RC) | 2 | Recovery planning, communications, improvements post-incident | No tested DR plan |
The expansion from 5 to 6 functions, 98 to 106 subcategories, and 5 to 22 categories is not just structural. It reflects a shift in how regulators think about cybersecurity. The CAT focused on what controls you have. CSF 2.0 focuses on how those controls are governed, measured, and improved over time. That distinction drives every gap financial institutions are finding during their transition.
Institutions that mapped their CAT results directly to CSF 2.0 subcategories quickly discovered the problem. The Govern function has no CAT equivalent. There is no checkbox migration path for board oversight documentation, supply chain risk management, or defined risk appetite statements. These requirements have to be built from scratch.
Most financial institutions know the CAT is retired and have selected NIST CSF 2.0. Fewer than 30% have completed the transition to documented alignment.
The Three Gaps Most Financial Institutions Are Missing
After working with financial institutions on this transition, three gaps appear in nearly every assessment. These are not edge cases. They are structural weaknesses that a one-to-one CAT-to-CSF mapping exercise will never catch.
Not Sure Where Your Gaps Are?
ABT's security assessment identifies your specific NIST CSF 2.0 gaps in under 48 hours.
Gap 1: The Govern Function Does Not Exist in Your Documentation
The Govern function (GV) has six categories: Organizational Context, Risk Management Strategy, Roles and Responsibilities, Policy, Oversight, and Cybersecurity Supply Chain Risk Management. Every one of these requires documented evidence your examiner can review.
Most institutions have some of these elements scattered across board minutes, vendor management policies, and IT committee charters. What they lack is a unified governance framework that maps explicitly to GV.OC, GV.RM, GV.RR, GV.PO, GV.OV, and GV.SC. Without that mapping, the evidence exists but is not findable during an exam.
Gap 2: Supply Chain Risk Management Is Now a Core Requirement
The CAT mentioned third-party risk in passing. CSF 2.0 dedicates an entire category (GV.SC) to cybersecurity supply chain risk management with seven subcategories. This category requires institutions to identify, assess, and manage cyber risks from suppliers, service providers, and technology vendors throughout the product lifecycle.
For institutions running Microsoft 365, this means documenting Microsoft as a technology supplier with specific risk controls, monitoring the sub-processor chain (including Anthropic for Copilot users), and maintaining evidence that vendor risk assessments are current. The NCUA reported 892 cyber incidents in 2024, with 73% involving third-party vendors. Examiners are paying close attention to this category.
The Supply Chain Gap Is Wider Than You Think
Your institution likely tracks major vendors in a spreadsheet or GRC tool. CSF 2.0 requires more: documented criteria for selecting vendors, contractual cybersecurity requirements, ongoing monitoring evidence, and incident notification procedures for every supplier in the chain. If you cannot demonstrate how you monitor Microsoft's sub-processors, you have a GV.SC documentation gap.
Gap 3: Continuous Monitoring Replaces Point-in-Time Assessment
The CAT was inherently a point-in-time tool. You assessed your maturity, documented it, and revisited it annually. CSF 2.0 expects continuous improvement. The Detect function (DE) now explicitly requires ongoing monitoring and anomaly analysis, not annual scans.
This shift has real operational implications. Your examiner will ask: "How do you detect a configuration drift in your M365 security settings between exams?" If the answer is "we check during our annual assessment," that answer no longer meets the framework's expectations.
How Microsoft 365 Maps to NIST CSF 2.0
Financial institutions already own most of the technical controls CSF 2.0 requires. The issue is not missing tools. It is misconfigured tools and undocumented controls. Microsoft 365 E3 and E5 licenses include features that map directly to five of the six CSF 2.0 functions. The sixth, Govern, requires institutional policies and processes that no technology platform provides out of the box.
- Identify: Microsoft Defender Vulnerability Management scans for asset discovery and risk identification across endpoints and cloud services.
- Protect: Conditional Access, MFA, DLP policies, sensitivity labels, and BitLocker encryption. These cover PR.AA (access control), PR.DS (data security), and PR.PS (platform security).
- Detect: Microsoft Defender XDR, Microsoft Sentinel (E5), and Purview Audit provide continuous threat detection, anomaly analysis, and event logging for DE.CM and DE.AE.
- Respond: Defender incident management, automated investigation, and Purview eDiscovery for RS.MA (incident management), RS.AN (analysis), and RS.MI (mitigation).
- Recover: SharePoint and OneDrive versioning, Exchange Online backup, and Azure backup services for RC.RP (recovery execution) and RC.CO (recovery communication).
The Govern function has no Microsoft 365 toggle. It requires documented board-approved policies, defined risk appetite, assigned cybersecurity roles, and supply chain risk management procedures. Your M365 tenant can generate the evidence (audit logs, compliance reports, configuration snapshots), but the governance framework itself must be written, approved, and maintained by your institution.
The single most common finding across our NIST CSF 2.0 gap assessments: institutions have the M365 controls turned on but cannot produce the documentation proving those controls are governed. Defender is active but nobody can show the board resolution that approved the detection strategy. Conditional Access policies exist but there is no written access control policy referencing them. The controls work. The evidence trail does not.
Your Transition Roadmap: CAT to CSF 2.0
The transition is not a single project. It is a four-phase process that starts with documenting what you already have and ends with continuous monitoring that satisfies your examiner's expectations.
Map current controls against all 106 CSF 2.0 subcategories. Identify missing Govern function documentation.
Create board policies, risk appetite statements, role assignments, and supply chain risk documentation.
Configure M365 security settings to match CSF 2.0 subcategory requirements. Document each mapping.
Replace point-in-time assessments with ongoing configuration monitoring and quarterly policy reviews.
Phase 1 typically takes 2-4 weeks for institutions with existing CAT documentation. The gap assessment converts your old CAT maturity scores into a CSF 2.0 current-state profile and highlights the subcategories where evidence is missing or insufficient.
Phase 2 is where most transitions stall. Building the Govern function from scratch requires board engagement, legal review, and cross-departmental coordination. Budget 60-90 days for this phase. Institutions that try to rush it end up with generic policy templates that examiners see through immediately.
Phase 3 focuses on your Microsoft 365 tenant configuration. Every Conditional Access policy, DLP rule, retention setting, and audit configuration needs to be mapped to a specific CSF 2.0 subcategory with documentation that an examiner can trace. This is where most institutions need technical help.
Phase 4 is the ongoing operating model. CSF 2.0 expects continuous improvement, not annual snapshots. This means automated configuration monitoring, regular policy reviews, and evidence collection that runs between exams.
The institutions that treat CSF 2.0 transition as a documentation exercise will pass one exam. The institutions that build continuous monitoring will pass every exam.
How ABT Closes the Gap
Access Business Technologies has configured NIST CSF-aligned security frameworks for over 750 financial institutions. Our Guardian operating model maps directly to all six CSF 2.0 functions, including the Govern controls that most institutions are building for the first time.
For the transition itself, ABT provides the gap assessment (Phase 1), builds the Govern documentation with your compliance team (Phase 2), configures your M365 tenant to CSF 2.0 requirements (Phase 3), and runs continuous monitoring through Guardian (Phase 4). Guardian's 160-plus security controls generate the ongoing evidence trail that satisfies examiner documentation requirements between exams.
The cost of leaving this transition incomplete is measurable. Institutions that enter an exam without a documented CSF 2.0 alignment face findings that escalate to board-level reporting requirements, increased exam frequency, and in severe cases, enforcement actions. The average cost of remediating post-exam findings runs 3-5x higher than proactive transition work.
Frequently Asked Questions
The FFIEC has not mandated a single replacement. However, OCC Bulletin 2024-25 directs institutions to adopt any industry-standard cybersecurity framework appropriate for their risk profile. NIST CSF 2.0 has become the de facto replacement, with 75% of financial institutions selecting it according to a Tandem cybersecurity survey of 420+ institutions. The FFIEC's own guidance references NIST CSF directly, and examiners are being trained on its structure.
The OCC issued Bulletin 2024-25 on August 29, 2024, formally rescinding its support for the FFIEC CAT. The FDIC, NCUA, and other FFIEC member agencies issued parallel guidance. The tool was retired effective August 31, 2025. Institutions still referencing CAT maturity levels in examination documentation should transition to NIST CSF 2.0 or another industry-standard framework before their next scheduled exam.
NIST CSF 2.0 is not technically mandatory. The NCUA requires credit unions to maintain an effective information security program under Part 748 of NCUA regulations. However, the NCUA has explicitly encouraged credit unions to use NIST CSF as the basis for their cybersecurity programs. In practice, NCUA examiners evaluate cybersecurity preparedness against frameworks they recognize, and NIST CSF 2.0 is the framework they are being trained on. Using a different framework is permitted but may require additional documentation explaining how it meets equivalent standards.
Govern (GV) is the new sixth function added in NIST CSF 2.0, published February 26, 2024. It has six categories: Organizational Context (GV.OC), Risk Management Strategy (GV.RM), Roles, Responsibilities, and Authorities (GV.RR), Policy (GV.PO), Oversight (GV.OV), and Cybersecurity Supply Chain Risk Management (GV.SC). The Govern function requires institutions to document board-level cybersecurity oversight, define risk appetite, assign cybersecurity responsibilities, maintain formal policies, and manage supply chain cyber risks. It sits at the center of the framework and informs all other five functions.
A typical transition takes 4-6 months for a financial institution with existing CAT documentation. The gap assessment phase takes 2-4 weeks. Building the Govern function documentation takes 60-90 days because it requires board engagement, legal review, and cross-departmental coordination. Technical control alignment in Microsoft 365 takes 4-8 weeks depending on tenant complexity. Continuous monitoring setup adds another 2-4 weeks. Institutions starting from scratch or with minimal CAT documentation should budget 6-9 months for full alignment.
Access Business Technologies provides a four-phase transition service for financial institutions moving from FFIEC CAT to NIST CSF 2.0. Phase 1 is a gap assessment that maps current controls against all 106 CSF 2.0 subcategories. Phase 2 builds the Govern function documentation including board policies, risk appetite statements, and supply chain risk procedures. Phase 3 configures the Microsoft 365 tenant to meet CSF 2.0 technical requirements with documented control mappings. Phase 4 establishes continuous monitoring through ABT's Guardian operating model, which provides ongoing configuration monitoring, quarterly policy reviews, and examiner-ready evidence collection. ABT has configured security frameworks for over 750 financial institutions since 1999.
Ready to Close Your NIST CSF 2.0 Gaps Before Your Next Exam?
ABT's NIST CSF 2.0 transition includes:
- Gap assessment mapping current controls to all 106 subcategories
- Govern function documentation with board-ready policy templates
- M365 tenant configuration aligned to CSF 2.0 requirements
- Continuous monitoring through Guardian with examiner-ready evidence
