A Comprehensive Assessment of FFIEC CAT and NIST CSF

by | Jul 24, 2018

What are the differences between cyber assessments from FFIEC and NIST? Can information from one assessment help with the other? Are there efficiencies to be gained by working with both simultaneously?

Most financial institutions are strongly encouraged by FFIEC to regularly assess and report the results of the Cybersecurity Assessment Tool (CAT).  Developed by FFIEC, CAT is compatible with the NIST Cybersecurity Framework (CSF), and since its release in 2015, FFIEC has recommended that banks, credit unions, and other institutions incorporate NIST CSF as well.

The NIST CSF is comprehensive and meant for a high-level view of cyber risk across the organization. CAT is more detailed and more prescriptive in its assessment. Where CSF asks about people, policy, and processes, CAT asks about specific implementations of specific tools.

The CAT table below visualizes the maturity assessment process in a glance. It depicts the relationships between the Domains, Assessment Factors, and Components that make up the CAT framework.

DomainAssessment Factor
Component
Cyber Risk Management and Oversight
GovernanceOversight
Strategy/Policies
IT Asset Management
Risk ManagementRisk Management Program
Risk Assessment
Audit
ResourcesStaffing
Training and CultureTraining
Culture
Threat Intelligence and Collaboration
Threat IntelligenceThreat Intelligence and Information
Monitoring and AnalyzingMonitoring and Analyzing
Information SharingInformation Sharing
Cybersecurity Controls
Preventative ControlsInfrastructure Management
Access and Data Management
Device/End-Point Security
Secure Coding
Detective ControlsThreat and Vulnerability Detection
Anomalous Activity Detection
Event Detection
Corrective ControlsPatch Management
Remediation
External Dependency Management
ConnectionsConnections
Relationship ManagementDue Diligence
Contracts [CON]
Ongoing Monitoring
Cyber Incident Management and Resilience
Incident Resilience Planning and Strategy.Planning
Testing
Detection, Response, and MitigationDetection
Response and Mitigation
Escalation and ReportingEscalation and Reporting
Totals1530

NIST CSF requires an organization to rate the maturity of its cyber policies and processes using a 5-point scale of maturity. FFIEC CAT actually comprises two parallel assessments – Inherent Risk and Cybersecurity Maturity. Its risk assessment also uses a 5-point scale, but the maturity appraisal requires yes or no answers to 494 statements about specific activities, services, and products. The objectives are to evaluate cyber risks that exist without having any protections in place, then rate the maturity of measures in place, and finally to examine risk and maturity together to understand the organization’s risk status and determine where improvements are needed.

FFIEC CATNIST CSF
Release/Latest UpdateJune 2015 / May 2017February 2014 / April 2018
TargetFinancial InstitutionsCritical Infrastructure
PurposeHelp institutions identify their risks and assess their cybersecurity preparednessHelp private sector organizations improve prevention, detection, and response to cyberattacks
DescriptionTwo assessmentsOne assessment
ScopeThorough; prescriptiveComprehensive; non-prescriptive
Appr. Number of controls500100

The CAT Maturity level is derived by rating 30 components as described in the table above. For each component, sets of statements for each of 5 maturity levels are presented, and the organization answers yes or no to each one. If every statement in a particular component/maturity level combination is true, then that maturity status is reported (in this case, “baseline”).

By our analysis, CAT’s prescriptive data informs over 90% of the CSF assessment. For example, here are four statements that define the Baseline level maturity for IT Asset Management:

  • An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
  • Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
  • Management assigns accountability for maintaining an inventory of organizational assets.
  • A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.

Excerpted from FFIEC Cybersecurity Assessment Tool, Inherent Risk Profile

If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets.

© 2018 Cybernance Corporation

Our conclusion is that using FFIEC CAT and NIST CSF together provides efficiencies and delivers assessments that fully support each guideline. For conscientious organizations following FFIEC guidance, using both instruments should start with CAT, then follow up with CSF. Using both will save time and provide a highly comprehensive overview of your organization’s cyber risk and maturity.

Subscribe
Be notified of new Journal entries in your email box or Follow us on Twitter.