A Comprehensive Assessment of FFIEC CAT and NIST CSF

by Bob Barker | Jul 24, 2018

What are the differences between cyber assessments from FFIEC and NIST? Can information from one assessment help with the other? Are there efficiencies to be gained by working with both simultaneously?

Most financial institutions are strongly encouraged by FFIEC to regularly assess and report the results of the Cybersecurity Assessment Tool (CAT). Developed by FFIEC, CAT is compatible with the NIST Cybersecurity Framework (CSF), and since its release in 2015, FFIEC has recommended that banks, credit unions, and other institutions incorporate NIST CSF as well.

The NIST CSF is comprehensive and meant for a high-level view of cyber risk across the organization. CAT is more detailed and more prescriptive in its assessment. Where CSF asks about people, policy, and processes, CAT asks about specific implementations of specific tools.

The CAT table below visualizes the maturity assessment process in a glance. It depicts the relationships between the Domains, Assessment Factors, and Components that make up the CAT framework.

Domain	Assessment Factor	Component
Cyber Risk Management and Oversight	Governance	Oversight
		Strategy/Policies
		IT Asset Management
	Risk Management	Risk Management Program
		Risk Assessment
		Audit
	Resources	Staffing
	Training and Culture	Training
	Training and Culture	Culture
Threat Intelligence and Collaboration	Threat Intelligence	Threat Intelligence and Information
	Monitoring and Analyzing	Monitoring and Analyzing
	Information Sharing	Information Sharing
Cybersecurity Controls	Preventative Controls	Infrastructure Management
		Access and Data Management
		Device/End-Point Security
		Secure Coding
	Detective Controls	Threat and Vulnerability Detection
		Anomalous Activity Detection
		Event Detection
	Corrective Controls	Patch Management
	Corrective Controls	Remediation
External Dependency Management	Connections	Connections
	Relationship Management	Due Diligence
		Contracts [CON]
		Ongoing Monitoring
Cyber Incident Management and Resilience	Incident Resilience Planning and Strategy.	Planning
	Incident Resilience Planning and Strategy.	Testing
	Detection, Response, and Mitigation	Detection
	Detection, Response, and Mitigation	Response and Mitigation
	Escalation and Reporting	Escalation and Reporting
Totals	15	30

NIST CSF requires an organization to rate the maturity of its cyber policies and processes using a 5-point scale of maturity. FFIEC CAT actually comprises two parallel assessments – Inherent Risk and Cybersecurity Maturity. Its risk assessment also uses a 5-point scale, but the maturity appraisal requires yes or no answers to 494 statements about specific activities, services, and products. The objectives are to evaluate cyber risks that exist without having any protections in place, then rate the maturity of measures in place, and finally to examine risk and maturity together to understand the organization’s risk status and determine where improvements are needed.

	FFIEC CAT	NIST CSF
Release/Latest Update	June 2015 / May 2017	February 2014 / April 2018
Target	Financial Institutions	Critical Infrastructure
Purpose	Help institutions identify their risks and assess their cybersecurity preparedness	Help private sector organizations improve prevention, detection, and response to cyberattacks
Description	Two assessments	One assessment
Scope	Thorough; prescriptive	Comprehensive; non-prescriptive
Appr. Number of controls	500	100

The CAT Maturity level is derived by rating 30 components as described in the table above. For each component, sets of statements for each of 5 maturity levels are presented, and the organization answers yes or no to each one. If every statement in a particular component/maturity level combination is true, then that maturity status is reported (in this case, “baseline”).

By our analysis, CAT’s prescriptive data informs over 90% of the CSF assessment. For example, here are four statements that define the Baseline level maturity for IT Asset Management:

An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
Management assigns accountability for maintaining an inventory of organizational assets.
A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.

Excerpted from FFIEC Cybersecurity Assessment Tool, Inherent Risk Profile

If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets.

Our conclusion is that using FFIEC CAT and NIST CSF together provides efficiencies and delivers assessments that fully support each guideline. For conscientious organizations following FFIEC guidance, using both instruments should start with CAT, then follow up with CSF. Using both will save time and provide a highly comprehensive overview of your organization’s cyber risk and maturity.

Subscribe
Be notified of new Journal entries in your email box or Follow us on Twitter.