FFIEC CAT retirement: what financial IAM teams need to replace

TL;DR: The FFIEC retired the Cybersecurity Assessment Tool on August 31, 2025, pushing financial institutions toward NIST CSF 2.0 and CRI Profiles for a more risk-based posture across access control, monitoring, third-party governance, and data security, according to Cyera. Static maturity scoring is giving way to governance that ties controls to exposure, accountability, and lifecycle reality.

NHIMG editorial — based on content published by Cyera: The CAT's Not Coming Back and what comes next after the FFIEC assessment tool retirement

Questions worth separating out

Q: How should financial institutions replace the FFIEC CAT with a more current governance model?

A: They should use a risk-based framework such as NIST CSF 2.0 or CRI Profiles, then map identity, access, and third-party controls to live operational evidence.

Q: Why do third-party identities become a governance problem when assessment models change?

A: Because vendors, integrations, and service accounts often keep access after the business relationship changes.

Q: What should IAM teams measure after moving away from a legacy maturity tool?

A: They should measure whether account inventories are complete, whether stale or ghost accounts still exist, and whether access reviews produce actual revocation.

Practitioner guidance

• Rebuild the CAT replacement around live control evidence Use NIST CSF 2.0 or CRI Profiles as the assessment backbone, but anchor the programme in real evidence such as account inventories, access logs, and termination workflows rather than static maturity scores.
• Tie third-party offboarding to identity revocation Create one termination process that removes human, application, and service access when a contract or vendor relationship ends, and require confirmation that stale or ghost accounts are gone.
• Validate who can reach sensitive data today Refresh discovery and classification so the access review includes users, applications, databases, and service accounts that store or process regulated data, with special attention to excessive permissions.

What's in the full article

Cyera's full article covers the operational detail this post intentionally leaves for the source:

• Specific NIST CSF 2.0 control areas Cyera says it supports across GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER
• The CRI Profile control families for independent risk management, independent audit, procurement diligence, monitoring, and relationship termination
• Examples of how Cyera maps data discovery, stale account detection, and third-party monitoring into the assessment workflow
• The vendor's discussion of its Dataport and MCP Server for natural-language querying of sensitive data locations

👉 Read Cyera's analysis of what replaces the FFIEC CAT for financial institutions →

FFIEC CAT retirement: what financial IAM teams need to replace?

Explore further

View Full Forum →  |  NHI Foundation Course →