In June of 2015 the FFIEC (Federal Financial Institutions Examination Council) released the first version of their Cybersecurity Assessment Tool (CAT). The FFIEC, for those not aware, is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions and is made up of 6 different agencies.
The FFIEC already has a set of works called the IT Examination Handbooks, about a dozen, which help set down standards for IT in several areas. One of interest would be the Information Security one that was finally updated in 2016.
Now, the CAT was created to help institutions with their IT risk and determine their cybersecurity maturity or preparedness. Intended to be voluntary, apparently a lot of examiners are expecting it be done. The FFIEC also worked with NIST to develop it, and so there are ties from the CAT to the Cybersecurity Framework. (for more on the issue of its "voluntary" use, read the article HERE.)
The work consists of basically two parts. One is the Inherent Risk Profile, which measures risk over 5 categories on a 5 point scale. This scale is very clear, so there is no room for interpretation.
The second part is the Cybersecurity Maturity, which rates maturity of five domains on a 5 point scale from baseline to innovative, similar to the CMM. Again, this rating is based on clearly defined items being met.
Well, in May of 2017, FFIEC has released an update of the CAT, which is a v1.1. An incremental update, not a re-write. The biggest update was they updated Appendix A, which has the mapping from the CAT to the IT Examination Handbooks. Since v1.0 of the CAT was released, they have updated two important IT Examination Handbooks: Information Security and Management.
In addition, the updated CAT "provide[s] additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment." As I understand it, these options were done because for some small institutions, they needs to be able to have complementary practices and not the hard and fast practices in the original CAT. Hopefully these improvements will help these organizations better utilize the CAT.
An interesting article and podcast on the updated CAT is HERE.
With the upcoming update to the NIST Cybersecurity Framework, which the CAT links to, will we see another update next year. And will that be a v2 or another incremental update (a v1.2 or 1.5)?