CAT Sunset: What The August 2025 Deadline Really Means For Financial Institutions

If you built your cybersecurity program around the FFIEC Cybersecurity Assessment Tool (CAT), you now have a hard date circled on the calendar: August 31, 2025.

On that day, the FFIEC will pull the CAT from its website and stop maintaining it altogether.

The decision reflects a simple reality—while the CAT’s control questions are still sound, newer, more flexible resources now exist, and the agencies no longer plan to keep two overlapping playbooks current .

The Requirement To Self-Assess Is Still Alive and Well

Several regulators have already stressed that the CAT’s retirement does not loosen expectations.

You must still conduct, document, and board-approve an annual cybersecurity self-assessment; only the preferred tool is changing.

In other words, auditors will keep asking, “Do you know your risks and what controls you have implemented to mitigate the risks?“

How do you know you’re secure? You’ll just answer with a different framework.

The Short List of Acceptable Successors

Regulators are pointing institutions to four mainstream options and encouraging each bank to pick the one that best fits its size and complexity:

• NIST Cybersecurity Framework 2.0 – Released in February 2024, CSF 2.0 streamlines 135 outcome-based controls across six functions (Govern has been added to the original five) and is already mapped by most major vendors .
• CISA Cross-Sector Cybersecurity Performance Goals (CPGs) – Thirty-eight prioritized practices that CISA ranks by cost, impact, and complexity; a Financial-Services-specific version is scheduled for Winter 2025.
• Cyber Risk Institute (CRI) Profile 2.0/2.1 – A banking-built framework that condenses more than 2,500 regulatory requirements into 208 diagnostic statements and a four-tier maturity model .
• CIS Critical Security Controls v8.1 – Eighteen controls, 153 safeguards, and three implementation groups that let smaller institutions start with “essential cyber hygiene” before scaling up.

Each option is valid; none is one-size-fits-all.

Larger, multi-state banks often gravitate to the CRI Profile because it mirrors multiple supervisory regimes, while a sub-$500M financial institution might begin with CIS Controls IG1 to get quick traction without overwhelming staff.

What Could This Actually Look Like?

Imagine Jane, the compliance officer at Valley Community Bank.

She prints her last CAT workbook and highlights the controls where the bank scored “Baseline.”

In the next board packet, she explains that the CAT is headed for sunset, outlines three replacement frameworks, and recommends NIST CSF 2.0 because the bank’s core processor already offers a CSF reporting module.

With board sign-off in hand, Jane maps the CAT questions to CSF outcomes, updates policy references, and runs a pilot assessment before year-end.

When her examiner arrives in early 2026, Jane hands over a tidy folder labeled “CAT-to-CSF Cross-Walk” and a new maturity roadmap.

The transition is a non-event, and that is the goal.

Your One-Year Glide Path

Feel free to adjust the pace as needed.

• Months 0-1 – Preserve the baseline. Archive your most recent CAT results and brief executive management on the deadline.
• Months 1-3 – Select the new framework. Short-list one or two candidates, test-drive their questionnaires, and choose the best cultural fit.
• Months 3-6 – Update artifacts. Revise policies, procedures, and evidence-collection methods so they reference the new control language.
• Months 6-9 – Run the first assessment. Score yourself, identify gaps, and tie remediation tasks to budget and staffing plans.
• Months 9-12 – Validate and tune. Conduct a tabletop or external readiness review, then fine-tune metrics before the next examination cycle.

Start sooner if your exam window falls early in 2026; push later only if your regulator has already confirmed a late-2026 visit.

What Examiners Will Want To See In 2026

1. Rationale for your chosen framework and how it aligns with inherent risk.
2. Documented assessment results under the new model, reviewed and approved by the board.
3. Evidence of movement—for example, progress from CIS IG1 to IG2 to IG3, or tier advancement in the CRI Profile.
4. A living improvement loop tying incident lessons and threat intel back into control updates.
5. Clear board oversight: minutes showing risk discussions, budget decisions, and staffing allocations linked to cybersecurity posture.

Moving Forward—With a Little Help If You Need It

Integrity Technology Solutions is already guiding peer institutions through the shift.

Our team is available to partner with you to make this transition seamless. We can:

• Facilitate a half-day Framework-Selection Workshop that links each option to your risk profile.
• Provide ready-made CAT-to-NIST and CAT-to-CRI cross-walk sheets that shave weeks off the mapping exercise.
• Run a mock examiner review using former bank auditors to surface documentation gaps before the real visit.
• Deliver plain-English board training that translates technical control jargon into enterprise risk language.

Do you need help planning the transition? Please reach out directly to:

Ben Mitzelfelt

Integrity Technology Services

bmitzelfelt@integrityts.com

309-291-1214

Starting now turns the CAT’s sunset into a smooth sunrise on a more modern, flexible cybersecurity program.

Integrity Technology Solutions