• This page, Review the FFIEC Cybersecurity Assessment Tool (CAT), is   offered by
  • Division of Banks

Review the FFIEC Cybersecurity Assessment Tool (CAT)

Identify your financial institution's risks and cybersecurity preparedness using the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool.

The Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (CAT) to help banks and credit unions identify cybersecurity risks and determine their preparedness. The CAT is also useful for non-depository institutions. The CAT provides a measurable process for your financial institution to determine cybersecurity preparedness over time.

The CAT uses the NIST Cybersecurity Framework and tailors its guidance for banks and credit unions. The CAT consists of two parts: Inherent Risk Profile and Cybersecurity Maturity.

Part 1: Inherent Risk Profile

Cybersecurity inherent risk is the level of risk posed to your institution by:

  • Technologies and connection types
  • Delivery channels
  • Online/mobile products and technology services
  • Organizational characteristics
  • External threats

After completing the profile, you will be able to categorize your institution’s inherent risk into one of the following categories:

  • Least inherent risk
  • Minimal inherent risk
  • Moderate inherent risk
  • Significant inherent risk
  • Most inherent risk

Part 2: Cybersecurity Maturity

The Cybersecurity Maturity part of the CAT can help you measure level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes statements to determine whether your institution’s behaviors, practices, and processes support cybersecurity preparedness within five domains. The five domains include:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

The baseline level of maturity reflects minimum expectations required by law, regulations, or recommended in supervisory guidance. After this review, determine appropriate maturity levels in each domain or the target state for Cybersecurity Maturity. Management can then develop action plans for achieving the target state.

Upon completion of the risk profile and maturity sections, evaluate whether your institution’s inherent risk and preparedness are aligned.

Additional Resources

FFIEC Information Technology Handbooks

The FFIEC also maintains Information Technology Handbooks. These handbooks are detailed guides to information technology.

The FFIEC Examiner Education Office also created the FFIEC InfoBase. The InfoBase has training materials on specific topics of interest to field examiners from the FFIEC member agencies.

Additional Resources

Help Us Improve Mass.gov  with your feedback

Please do not include personal or contact information.