The Federal Financial Institutions Examination Council (FFIEC) is a US interagency body that sets uniform principles and standards for the examination of financial institutions. Its IT Examination Handbook defines the expectations examiners use to assess an institution's information security and IT risk management.

What happened to the FFIEC CAT?

The FFIEC Cybersecurity Assessment Tool (CAT) was sunset on August 31, 2025. The FFIEC decided not to update it to reflect newer resources such as NIST Cybersecurity Framework 2.0 and the CISA Cybersecurity Performance Goals, and instead points institutions to those standardized, maintained frameworks.

What should replace the CAT?

Institutions are moving to maintained frameworks — most commonly NIST CSF 2.0, followed by the CIS Controls, the Cyber Risk Institute (CRI) Profile (a financial-sector tailoring of NIST CSF), and the CISA Cybersecurity Performance Goals. episki supports mapping your program to any of these while preserving your prior CAT work.

Is the FFIEC handbook still in effect?

Yes. The CAT was a voluntary assessment tool; the FFIEC IT Examination Handbook and the underlying examination program remain in force. Institutions still need to demonstrate sound cybersecurity and IT risk management to their examiners.

FFIEC exams, after the CAT

Stay FFIEC examination-ready

With the FFIEC Cybersecurity Assessment Tool retired, map your program to NIST CSF 2.0 or the CRI Profile, manage the controls examiners expect, and keep evidence exam-ready.

Start free trial Book a demo

What is the FFIEC?

The Federal Financial Institutions Examination Council (FFIEC) is the US interagency body that prescribes uniform principles, standards, and report forms for the federal examination of financial institutions. Its IT Examination Handbook is the reference examiners use to evaluate an institution's information security, business continuity, and IT risk management.

The CAT sunset

From 2015, many institutions used the FFIEC Cybersecurity Assessment Tool (CAT) to self-assess their cyber maturity. The FFIEC retired the CAT on August 31, 2025, having decided not to update it to reflect newer government resources. Institutions are expected to transition to standardized, actively maintained frameworks instead:

NIST CSF 2.0 — by far the most common replacement.
CRI Profile — the Cyber Risk Institute's financial-sector tailoring of NIST CSF, which maps to FFIEC handbooks, NY DFS Part 500, and other supervisory regimes.
CIS Controls and the CISA Cybersecurity Performance Goals — additional options.

Importantly, the IT Examination Handbook and the examination program itself remain in force — only the voluntary CAT tool went away.

How episki helps

episki maps your program to NIST CSF 2.0 or the CRI Profile, carries your prior CAT work forward, and organizes controls and evidence to the FFIEC IT Examination Handbook domains. Because the same controls cross-map to GLBA, NY DFS Part 500, SOC 2, and ISO 27001, your institution runs one program for every regulator instead of many.

FFIEC outcomes with episki

Quantify the impact security and compliance brings to your business.

CAT retired

The FFIEC CAT was sunset on August 31, 2025 — a successor mapping is needed.

NIST CSF 2.0

The most-adopted CAT replacement, fully supported in episki.

Exam-ready

IT Examination Handbook expectations tracked as living controls.

Why teams choose episki for FFIEC

Framework-specific automation, collaboration, and reporting in one workspace.

A clean CAT replacement

Move off the retired CAT onto a maintained, examiner-recognized framework.

NIST CSF 2.0 mapping out of the box
CRI Profile for financial-sector depth
CIS Controls and CISA CPGs as options

Examination readiness

Organize controls and evidence to the FFIEC IT Examination Handbook.

Control-to-handbook mapping
Examiner-ready evidence library
Risk assessment and board reporting

One program, every regulator

Reuse the same controls across overlapping financial obligations.

Crosswalk to GLBA Safeguards
Crosswalk to NY DFS Part 500
Reuse SOC 2 and ISO 27001 evidence

FFIEC readiness inside episki

What an examined institution needs in place after the CAT sunset.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ Successor framework selected (NIST CSF 2.0 or CRI Profile)
✓ Control library mapped to the FFIEC IT Examination Handbook
✓ Cybersecurity risk assessment kept current
✓ Board and management reporting
✓ Third-party / vendor risk management
✓ Examiner-ready evidence library

FFIEC accelerators

FFIEC readiness accelerators

Make the post-CAT transition without losing exam readiness.

CAT-to-CSF mapping

Carry your prior CAT work forward into NIST CSF 2.0 or the CRI Profile.

Exam evidence library

Organize artifacts to the IT Examination Handbook domains.

Financial-framework crosswalk

Reuse evidence across GLBA, NY DFS, SOC 2, and ISO 27001.

FFIEC frequently asked questions

Stay FFIEC exam-ready in episki

Map to NIST CSF 2.0 or the CRI Profile and keep evidence ready across GLBA and NY DFS.

Start free trial Book a walkthrough