A Comprehensive Assessment of FFIEC CAT and NIST CSF

by | Jul 24, 2018

What are the differences between cyber assessments from FFIEC and NIST? Can information from one assessment help with the other? Are there efficiencies to be gained by working with both simultaneously?
Most financial institutions are strongly encouraged by FFIEC to regularly assess and report the results of the Cybersecurity Assessment Tool (CAT).  Developed by FFIEC, CAT is compatible with the NIST Cybersecurity Framework (CSF), and since its release in 2015, FFIEC has recommended that banks, credit unions, and other institutions incorporate NIST CSF as well.

The NIST CSF is comprehensive and meant for a high-level view of cyber risk across the organization. CAT is more detailed and more prescriptive in its assessment. Where CSF asks about people, policy, and processes, CAT asks about specific implementations of specific tools.

The CAT table below visualizes the maturity assessment process in a glance. It depicts the relationships between the Domains, Assessment Factors, and Components that make up the CAT framework.

Domain Assessment Factor
Cyber Risk Management and Oversight
Governance Oversight
IT Asset Management
Risk Management Risk Management Program
Risk Assessment
Resources Staffing
Training and Culture Training
Threat Intelligence and Collaboration
Threat Intelligence Threat Intelligence and Information
Monitoring and Analyzing Monitoring and Analyzing
Information Sharing Information Sharing
Cybersecurity Controls
Preventative Controls Infrastructure Management
Access and Data Management
Device/End-Point Security
Secure Coding
Detective Controls Threat and Vulnerability Detection
Anomalous Activity Detection
Event Detection
Corrective Controls Patch Management
External Dependency Management
Connections Connections
Relationship Management Due Diligence
Contracts [CON]
Ongoing Monitoring
Cyber Incident Management and Resilience
Incident Resilience Planning and Strategy. Planning
Detection, Response, and Mitigation Detection
Response and Mitigation
Escalation and Reporting Escalation and Reporting
Totals 15 30
NIST CSF requires an organization to rate the maturity of its cyber policies and processes using a 5-point scale of maturity. FFIEC CAT actually comprises two parallel assessments – Inherent Risk and Cybersecurity Maturity. Its risk assessment also uses a 5-point scale, but the maturity appraisal requires yes or no answers to 494 statements about specific activities, services, and products. The objectives are to evaluate cyber risks that exist without having any protections in place, then rate the maturity of measures in place, and finally to examine risk and maturity together to understand the organization’s risk status and determine where improvements are needed.
Release/Latest Update June 2015 / May 2017 February 2014 / April 2018
Target Financial Institutions Critical Infrastructure
Purpose Help institutions identify their risks and assess their cybersecurity preparedness Help private sector organizations improve prevention, detection, and response to cyberattacks
Description Two assessments One assessment
Scope Thorough; prescriptive Comprehensive; non-prescriptive
Appr. Number of controls 500 100
The CAT Maturity level is derived by rating 30 components as described in the table above. For each component, sets of statements for each of 5 maturity levels are presented, and the organization answers yes or no to each one. If every statement in a particular component/maturity level combination is true, then that maturity status is reported (in this case, “baseline”).

By our analysis, CAT’s prescriptive data informs over 90% of the CSF assessment. For example, here are four statements that define the Baseline level maturity for IT Asset Management:

  • An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
  • Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
  • Management assigns accountability for maintaining an inventory of organizational assets.
  • A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.

Excerpted from FFIEC Cybersecurity Assessment Tool, Inherent Risk Profile

If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets.

© 2018 Cybernance Corporation

Our conclusion is that using FFIEC CAT and NIST CSF together provides efficiencies and delivers assessments that fully support each guideline. For conscientious organizations following FFIEC guidance, using both instruments should start with CAT, then follow up with CSF. Using both will save time and provide a highly comprehensive overview of your organization’s cyber risk and maturity.

Be notified of new Journal entries in your email box or Follow us on Twitter.