noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Technology

Board of Governors of the Federal Reserve System

11/22/2024 | Press release | Distributed by Public on 11/22/2024 11:14

FFIEC Cybersecurity Assessment Tool Sunset Statement

SR 24-7:

FFIEC Cybersecurity Assessment Tool Sunset Statement

BOARD OF GOVERNORS
OF THE FEDERAL RESERVE SYSTEM
WASHINGTON, D.C. 20551

DIVISION OF
SUPERVISION AND REGULATION

SR 24-7
November 22, 2024

TO THE OFFICER IN CHARGE OF SUPERVISION AT EACH FEDERAL RESERVE BANK

SUBJECT:

FFIEC Cybersecurity Assessment Tool Sunset Statement

Applicability: This letter applies to financial institutions supervised by the Federal Reserve, including those with $10 billion or less in consolidated assets.

The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, issued a statement on August 29, 2024, to communicate the sunset of the Cybersecurity Assessment Tool (CAT) in August 2025 (Statement). In light of new government resources available to financial institutions, the CAT will no longer be updated and will be removed from the FFIEC website on August 31, 2025.

As background, the CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks. As outlined in the Statement, these resources include the National Institute of Standards and Technology Cybersecurity Framework 2.0, the Cybersecurity and Infrastructure Security Agency's Cybersecurity Performance Goals, the Cyber Risk Institute's Cyber Profile, and the Center for Internet Security Critical Security Controls. These tools can be used in conjunction with other resources (e.g., frameworks, standards, guidelines, and leading practices) to better address and inform management of continuously evolving cybersecurity risk.

The Federal Reserve does not endorse any particular cybersecurity self-assessment tool. Supervised financial institutions should ensure that any self-assessment tool(s) they utilize supports an effective control environment and is commensurate with their risk.

The use of widely available tools aligned with industry standards and best practices can also support financial institutions in their discussions with supervisors. However, cybersecurity risk continuously evolves, and examiners may address areas not covered by all tools at a point in time. The Federal Reserve takes a risk-focused examination approach that relies on an understanding of the financial institution, the performance of risk assessments, the development of a supervisory plan or examination scope, and examination procedures tailored to the financial institution's risk profile.

Reserve Banks are asked to distribute this letter to the supervised financial institutions in their districts and to appropriate supervisory staff. In addition, financial institutions may submit questions via the Board's public website. ¹

signed by

Michael S. Gibson
Division of
Supervision and Regulation

Supersedes:

SR letter 15-9, "FFIEC Cybersecurity Assessment Tool for Chief Executive Officers and Boards of Directors"

Attachments:

FFIEC CAT Sunset Statement

Notes:

See https://www.federalreserve.gov/apps/contactus/feedback.aspx . Return to text.

Last Update: November 22, 2024

Sharing and Personal Tools

Please select the service you want to use: