The NIST CSF is comprehensive and meant for a high-level view of cyber risk across the organization. CAT is more detailed and more prescriptive in its assessment. Where CSF asks about people, policy, and processes, CAT asks about specific implementations of specific tools.
The CAT table below visualizes the maturity assessment process in a glance. It depicts the relationships between the Domains, Assessment Factors, and Components that make up the CAT framework.
|Cyber Risk Management and Oversight
|IT Asset Management|
|Risk Management||Risk Management Program|
|Training and Culture||Training|
|Threat Intelligence and Collaboration
||Threat Intelligence||Threat Intelligence and Information|
|Monitoring and Analyzing||Monitoring and Analyzing|
|Information Sharing||Information Sharing|
||Preventative Controls||Infrastructure Management|
|Access and Data Management|
|Detective Controls||Threat and Vulnerability Detection|
|Anomalous Activity Detection|
|Corrective Controls||Patch Management|
|External Dependency Management
|Relationship Management||Due Diligence|
|Cyber Incident Management and Resilience
||Incident Resilience Planning and Strategy.||Planning|
|Detection, Response, and Mitigation||Detection|
|Response and Mitigation|
|Escalation and Reporting||Escalation and Reporting|
|FFIEC CAT||NIST CSF|
|Release/Latest Update||June 2015 / May 2017||February 2014 / April 2018|
|Target||Financial Institutions||Critical Infrastructure|
|Purpose||Help institutions identify their risks and assess their cybersecurity preparedness||Help private sector organizations improve prevention, detection, and response to cyberattacks|
|Description||Two assessments||One assessment|
|Scope||Thorough; prescriptive||Comprehensive; non-prescriptive|
|Appr. Number of controls||500||100|
By our analysis, CAT’s prescriptive data informs over 90% of the CSF assessment. For example, here are four statements that define the Baseline level maturity for IT Asset Management:
- An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
- Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
- Management assigns accountability for maintaining an inventory of organizational assets.
- A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.
Excerpted from FFIEC Cybersecurity Assessment Tool, Inherent Risk Profile
If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets.
© 2018 Cybernance Corporation
Our conclusion is that using FFIEC CAT and NIST CSF together provides efficiencies and delivers assessments that fully support each guideline. For conscientious organizations following FFIEC guidance, using both instruments should start with CAT, then follow up with CSF. Using both will save time and provide a highly comprehensive overview of your organization’s cyber risk and maturity.