What are the differences between cyber assessments from FFIEC and NIST? Can information from one assessment help with the other? Are there efficiencies to be gained by working with both simultaneously?
Most financial institutions are strongly encouraged by FFIEC to regularly assess and report the results of the Cybersecurity Assessment Tool (CAT). Developed by FFIEC, CAT is compatible with the NIST Cybersecurity Framework (CSF), and since its release in 2015, FFIEC has recommended that banks, credit unions, and other institutions incorporate NIST CSF as well.
The NIST CSF is comprehensive and meant for a high-level view of cyber risk across the organization. CAT is more detailed and more prescriptive in its assessment. Where CSF asks about people, policy, and processes, CAT asks about specific implementations of specific tools.
The CAT table below visualizes the maturity assessment process in a glance. It depicts the relationships between the Domains, Assessment Factors, and Components that make up the CAT framework.
|Cyber Risk Management and Oversight||Governance||Oversight|
|IT Asset Management|
|Risk Management||Risk Management Program|
|Training and Culture||Training|
|Threat Intelligence and Collaboration||Threat Intelligence||Threat Intelligence and Information|
|Monitoring and Analyzing||Monitoring and Analyzing|
|Information Sharing||Information Sharing|
|Cybersecurity Controls||Preventative Controls||Infrastructure Management|
|Access and Data Management|
|Detective Controls||Threat and Vulnerability Detection|
|Anomalous Activity Detection|
|Corrective Controls||Patch Management|
|External Dependency Management||Connections||Connections|
|Relationship Management||Due Diligence|
|Cyber Incident Management and Resilience||Incident Resilience Planning and Strategy.||Planning|
|Detection, Response, and Mitigation||Detection|
|Response and Mitigation|
|Escalation and Reporting||Escalation and Reporting|
NIST CSF requires an organization to rate the maturity of its cyber policies and processes using a 5-point scale of maturity. FFIEC CAT actually comprises two parallel assessments – Inherent Risk and Cybersecurity Maturity. Its risk assessment also uses a 5-point scale, but the maturity appraisal requires yes or no answers to 494 statements about specific activities, services, and products. The objectives are to evaluate cyber risks that exist without having any protections in place, then rate the maturity of measures in place, and finally to examine risk and maturity together to understand the organization’s risk status and determine where improvements are needed.
|FFIEC CAT||NIST CSF|
|Release/Latest Update||June 2015 / May 2017||February 2014 / April 2018|
|Target||Financial Institutions||Critical Infrastructure|
|Purpose||Help institutions identify their risks and assess their cybersecurity preparedness||Help private sector organizations improve prevention, detection, and response to cyberattacks|
|Description||Two assessments||One assessment|
|Scope||Thorough; prescriptive||Comprehensive; non-prescriptive|
|Appr. Number of controls||500||100|
The CAT Maturity level is derived by rating 30 components as described in the table above. For each component, sets of statements for each of 5 maturity levels are presented, and the organization answers yes or no to each one. If every statement in a particular component/maturity level combination is true, then that maturity status is reported (in this case, “baseline”).
By our analysis, CAT’s prescriptive data informs over 90% of the CSF assessment. For example, here are four statements that define the Baseline level maturity for IT Asset Management:
- An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained.
- Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value.
- Management assigns accountability for maintaining an inventory of organizational assets.
- A change management process is in place to request and approve changes to systems configurations, hardware, software, applications, and security tools.
Excerpted from FFIEC Cybersecurity Assessment Tool, Inherent Risk Profile
If all of these FFIEC statements are true, that makes it easier to answer several questions in NIST CSF about the maturity of several inventory practices involving hardware, software, services, and data assets.
© 2018 Cybernance Corporation
Our conclusion is that using FFIEC CAT and NIST CSF together provides efficiencies and delivers assessments that fully support each guideline. For conscientious organizations following FFIEC guidance, using both instruments should start with CAT, then follow up with CSF. Using both will save time and provide a highly comprehensive overview of your organization’s cyber risk and maturity.