On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) announced the release of an update to the Cybersecurity Assessment Tool (CAT). The update is the first for the tool since its initial release in 2015. While originally released by the FFIEC as an “optional” assessment tool for financial institutions, CAT has sparked controversy because of its application to new regulatory guidance and because of its structure and content. The last announcement regarding the CAT – addressing FAQs for the tool – was released in October 2016.
The 2017 update isn’t the sweeping overhaul financial institutions had been expecting. For example, the Inherent Risk Profile and Cybersecurity Maturity declarative statements remain unchanged. However, the update does include two changes:
Addition of compensating controls. The most significant change to the CAT is the addition of a choice to answer cybersecurity maturity declarative statements with “Yes With Compensating Controls” (Y(C)), as opposed to the previous “Yes” or “No” (Y/N) option. In the updated guidance, the FFIEC defines a compensating control as “a management, operational, and/or technical control (e.g., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system.”1 This change transforms the nature of the tool from a basic black-and-white approach to one characterized by a shade of gray.
Appendix mapping update. The other change to the tool is an update to Appendix A, which correlates baseline maturity controls to FFIEC IT booklets. The mapping has been updated to reflect the changes in the new Information Security and Management booklets issued in 2016.
Institutions should review how they’ve answered the declarative statements in the maturity assessment portion of the tool and identify any areas where they may have compensating controls to close previous gaps. Doing so could allow achievement of a higher level of maturity than in prior assessments using the tool.
While the FFIEC now allows compensating controls for the FFIEC CAT, it’s not yet known how this update affects other CAT-related guidance such as InTREx. While it might be OK to answer “Yes With Compensating Controls” for this assessment, it may not be appropriate for other assessments or examinations.
1 Cybersecurity Assessment Tool, Federal Financial Institutions Examination Council, May 2017, p. 8,