An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
OCC Bulletin 2024-25 | August 29, 2024
Share This Page:
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Federal Financial Institutions Examination Council (FFIEC),1 on behalf of its members, is issuing this statement to communicate that the FFIEC will sunset the Cybersecurity Assessment Tool (CAT)2 on August 31, 2025.
This statement applies to all OCC-supervised institutions.
This statement
The CAT was released in June 2015 as a voluntary assessment tool to help financial institutions identify their risks and determine their cybersecurity preparedness. While the fundamental security controls addressed throughout the maturity levels of the CAT are sound, several new and updated government and industry resources are available that financial institutions can leverage to better manage cybersecurity risks.
After much consideration, the FFIEC has determined not to update the CAT to reflect new government resources, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals. Supervised financial institutions can instead refer directly to these new government resources. CISA released Cross-Sector Cybersecurity Performance Goals in 2023 and is preparing to release Cybersecurity Performance Goals for the Financial Sector later this year. These resources were developed to help organizations of all sizes and sectors manage and reduce their cybersecurity risk in alignment with a whole-of-government approach to improve security and resilience.
Please contact Patrick J. Kelly, Director for Critical Infrastructure Policy, Operational Risk Division, at (202) 649-6550.
Grovetta D. Gardineer Senior Deputy Comptroller for Bank Supervision Policy
1 The FFIEC members are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee.
2 The National Credit Union Administration will continue to support and encourage credit unions to use the Automated Cybersecurity Examination Tool (NCUA ACET), derived from the FFIEC CAT.