On June 26, 2024, Evolve Bank & Trust, a roughly $1.5 billion community-class bank headquartered in Arkansas, disclosed a LockBit ransomware breach that ultimately affected about 7.6 million customers.
The Federal Reserve enforcement action issued that same June cited deficiencies in IT, risk management, and vendor governance. For community banks still running their FFIEC Cybersecurity Assessment Tool walkthrough on autopilot, Evolve was the cold-shower headline.
| The Practitioner Cheat Sheet on the FFIEC Cybersecurity Assessment Tool |
| The FFIEC Cybersecurity Assessment Tool is the FFIEC’s voluntary self-assessment that pairs an Inherent Risk Profile across 39 activities with a Cybersecurity Maturity rating across five domains and 494 declarative statements, giving community bank boards a single page that translates cyber posture into examiner language. |
| Evolve Bank & Trust, a roughly $1.5 billion Arkansas community bank, disclosed a LockBit ransomware breach in June 2024 affecting about 7.6 million people. The FFIEC Cybersecurity Assessment Tool would have flagged third-party oversight and external dependency gaps months before the intrusion if the bank had refreshed the assessment. |
| The FFIEC retired the FFIEC Cybersecurity Assessment Tool on August 31, 2025, per the September 2024 FFIEC press release. Community banks are now migrating the CAT outputs into the NIST Cybersecurity Framework 2.0, the Cyber Risk Institute Profile, or CISA’s Cybersecurity Performance Goals while keeping prior CAT results for trend continuity. |
| The FFIEC Cybersecurity Assessment Tool walkthrough remains the cleanest on-ramp for community banks that need a board-ready scorecard. Use it as the bridge: keep the CAT mechanics for one more cycle, then crosswalk every domain into the six NIST CSF 2.0 functions, with the new Govern function carrying the board oversight load. |
| Verizon’s 2025 DBIR found 30% of confirmed breaches now involve a third party, double the 2024 share. Domain 4 of the FFIEC Cybersecurity Assessment Tool, External Dependency Management, is the highest-payoff area for community banks today because that is where examiner findings, ransomware blast radius, and CRA-era vendor concentration intersect. |
| Score the FFIEC Cybersecurity Assessment Tool against the Federal Reserve’s SR 24-7, OCC Bulletin 2024-25, and FDIC FIL-43-2024 sunset guidance. The exam expectation is that any community bank still referencing CAT maturity levels in the board pack has a documented transition plan with named owners and a target completion date inside 2026. |
| A working FFIEC Cybersecurity Assessment Tool walkthrough produces three artifacts: a one-page maturity radar, a domain-level gap log with owners, and a 90-day remediation calendar. Without those three, the assessment is wallpaper. With them, the next OCC or FDIC IT exam opens with the bank presenting its own findings instead of receiving them. |
The FFIEC Cybersecurity Assessment Tool is the assessment most US community banks have leaned on since June 2015 to give the board and examiners a shared read of cyber maturity. The tool sunset on August 31, 2025, per FFIEC press release AN-09-29, but the mechanics remain the cleanest first pass for any community bank that has not yet migrated to NIST CSF 2.0 or the CRI Profile.
This walkthrough takes a community bank through the FFIEC Cybersecurity Assessment Tool end to end: the Inherent Risk Profile, the five Cybersecurity Maturity domains, the 494 declarative statements, the reading of results, and the crosswalk to NIST Cybersecurity Framework 2.0 that examiners now expect. The aim is a one-page maturity scorecard the audit committee reads in five minutes and an owner-named remediation calendar.
Why Community Banks Still Use the FFIEC Cybersecurity Assessment Tool in 2026
The FFIEC Cybersecurity Assessment Tool was released in June 2015 to help US financial institutions identify cyber risks and self-report cybersecurity preparedness. Per the OCC May 2017 update, the tool combined an Inherent Risk Profile with five Cybersecurity Maturity domains. The assessment is voluntary, but examiners treat the output as table stakes during IT exams.
Community banks adopted the FFIEC Cybersecurity Assessment Tool faster than larger institutions because it gave a small risk team a structured artifact without licensing fees.
The Federal Reserve’s SR 24-7 reiterated that the assessment remained acceptable through the sunset period and that examiners would accept it alongside other frameworks during transition.
The reason community banks still walk the FFIEC Cybersecurity Assessment Tool in 2026 is institutional memory. The board pack carries multi-year CAT maturity trends.
Audit committees can see whether the bank moved from Evolving to Intermediate on Cybersecurity Controls between 2022 and 2025, and that trend is what informs the next year’s IT capital plan.
Inside the FFIEC Cybersecurity Assessment Tool Architecture
The FFIEC Cybersecurity Assessment Tool has two halves. The Inherent Risk Profile rates 39 activities across five categories (technologies and connection types, delivery channels, online and mobile products, organizational characteristics, and external threats) on a scale from Least to Most. The Cybersecurity Maturity half rates the bank on 494 declarative statements grouped under five domains.
Figure 1. The 494 declarative statements in the FFIEC Cybersecurity Assessment Tool are concentrated in Domain 3 Cybersecurity Controls (220) and Domain 1 Cyber Risk Management & Oversight (98).
Step 1, Building the Inherent Risk Profile in the FFIEC Cybersecurity Assessment Tool
Step 1 of any FFIEC Cybersecurity Assessment Tool walkthrough is the Inherent Risk Profile. The IRP is the bank’s exposure before any controls.
The community bank rates 39 activities across five risk categories on a five-point scale: Least, Minimal, Moderate, Significant, and Most. The output is a per-category risk vector and an overall risk rating.
The five categories were designed to map a community bank’s whole attack surface. Technology choices, customer-facing channels, product complexity, the org chart, and the threat environment each shift the score independently.
A bank with no FedNow access, no public cloud workloads, and no mobile remote deposit capture scores Least or Minimal across most rows in the first two categories.
IRP Scoring Worked Example, $750M Community Bank Using the FFIEC Cybersecurity Assessment Tool
Picture a $750 million asset US community bank in the upper Midwest with 8 branches, mobile banking through a fintech partner, FedNow live since 2024, and core banking on Jack Henry.
The bank scores Moderate on Technologies and Connection Types, Significant on Delivery Channels (FedNow drives this), Moderate on Mobile Products, Minimal on Organizational, and Significant on External Threats.
The community bank’s overall Inherent Risk Profile lands at Moderate, with one Significant. The assessment team then writes a short narrative for each Significant row explaining the driver. FedNow’s instant-settlement irrevocability is the driver on Delivery Channels, and rising regional bank ransomware activity is the driver on External Threats per FBI IC3 reporting.
| IRP Category | Score | Driver | Documentation |
| Technologies & Connection Types | Moderate | Jack Henry core, 2 cloud SaaS apps, no internet-facing ATM management | Tech inventory + network diagram |
| Delivery Channels | Significant | FedNow live, mobile RDC, public website with loan apps | FedNow OFAC controls memo |
| Online & Mobile Products | Moderate | Bill pay, P2P via Zelle partner, ACH origination | Product risk register |
| Organizational | Minimal | 8 branches, 142 FTE, single state footprint | Org chart + assets map |
| External Threats | Significant | Regional ransomware uptick, OFAC sanctions risk on cross-border wires | FBI IC3 + ISAC briefings |
Step 2, Scoring the Five Maturity Domains in the FFIEC Cybersecurity Assessment Tool
Step 2 of the FFIEC Cybersecurity Assessment Tool walkthrough is the maturity half. Community banks score the bank against 494 declarative statements across five domains.
Each statement is answered Yes or No (a few have a Partial option). The bank’s maturity rises through Baseline, Evolving, Intermediate, Advanced, and Innovative as more statements are answered Yes.
Two ground rules govern Domain scoring. The first rule is that the bank cannot claim a higher maturity level without confirming every statement at every level below. The second rule is that Domain scores are independent; a community bank can be Intermediate on Cybersecurity Controls and Baseline on Threat Intelligence, and the radar chart will show it.
Domain 1, Cyber Risk Management & Oversight in the FFIEC Cybersecurity Assessment Tool
Domain 1 of the FFIEC Cybersecurity Assessment Tool walks 98 declarative statements covering governance, the risk management program, resources, and training.
The community bank confirms that the board approves the information security program annually, that a CISO or equivalent reports to the board, and that cyber risk appetite is documented. The IIA’s Three Lines Model is the structuring lens here.
Community banks under $1 billion in assets routinely sit at Baseline or Evolving on Domain 1 because the CISO is part-time, training cadence is annual rather than role-based, and the cyber risk appetite statement is folded into the broader ERM appetite. Moving to Intermediate usually requires hiring a fractional CISO and writing a standalone cyber appetite. Our enterprise risk management framework guide anchors the appetite work.
Domain 2, Threat Intelligence & Collaboration Inside the FFIEC Cybersecurity Assessment Tool
Threat intelligence content lives in 33 declarative statements under Domain 2 of the FFIEC Cybersecurity Assessment Tool. Banks document their intel inputs, sign onto sector groups such as FS-ISAC, and show that intelligence feeds back into control decisions. Domain 2 is where most community banks under-invest because intelligence has historically felt like a large-bank discipline.
The honest minimum for Domain 2 maturity at a community bank is FS-ISAC membership at the Premier tier, a documented monthly intel digest delivered to the CISO and CTO, and a tagged subset of indicators routed to the SIEM or MDR provider. That moves the bank from Baseline to Evolving and clears the way for Intermediate. Our guide to information security risk management lays out the input chain.
Domain 3, Cybersecurity Controls Maturity in the FFIEC Cybersecurity Assessment Tool
At 220 declarative statements, Domain 3 holds the heaviest concentration in the FFIEC Cybersecurity Assessment Tool maturity half. Community banks score preventive, detective, and corrective controls across infrastructure, access management, device security, secure coding, and threat protection. Domain 3 is where most exam findings land for community banks.
The most cited Domain 3 weaknesses at community banks per OCC Semiannual Risk Perspective Spring 2025 are privileged access management, multifactor authentication on legacy admin paths, and patching cadence on internet-facing systems. Closing those three closes most of the Domain 3 gap. Our cybersecurity risk management guide maps each control family back to NIST.
Domain 4, External Dependency Management Inside the FFIEC Cybersecurity Assessment Tool
Third-party risk lives in 49 declarative statements under Domain 4 of the FFIEC Cybersecurity Assessment Tool, spanning third-party connections, vendor risk management, and contractual cyber clauses.
Verizon’s 2025 Data Breach Investigations Report found 30% of confirmed breaches now involve a third party, double the prior year. Domain 4 is where community banks get the highest payoff per dollar of work today.
Domain 4 maturity at a community bank requires three things: a current third-party inventory with criticality tiering, SOC 2 Type II reports for every critical vendor, and named cyber clauses in every vendor contract. Our how to manage third party risk guide and the mitigate vendor risks playbook walk the bank through each step.
Domain 5, Cyber Incident Management & Resilience in the FFIEC Cybersecurity Assessment Tool
Incident planning, detection, response, escalation, and recovery sit inside Domain 5 of the FFIEC Cybersecurity Assessment Tool, across 89 declarative statements. The bank validates that an IR plan exists, that it is tested at least annually, and that the plan integrates with the BCP and DRP. Domain 5 ties directly into ISO 22301 business continuity thinking.
Community banks frequently sit at Evolving on Domain 5 because IR tabletop exercises happen annually but rarely with a ransomware-specific scenario.
Moving to Intermediate means running at least one full-functional ransomware exercise per year with the IR retainer counsel and forensics partner on the call. Our essential steps of incident response guide carries the playbook.
Reading the FFIEC Cybersecurity Assessment Tool Results Against Risk Appetite
The FFIEC Cybersecurity Assessment Tool produces two artifacts that matter at the audit committee: a radar chart of the five Domain maturities and an Inherent Risk versus Maturity overlay. The overlay is the entire point of the assessment. A community bank with Significant inherent risk on Delivery Channels but Baseline maturity on Domain 3 Cybersecurity Controls has a visible gap.
Figure 2. Banking-sector cyber benchmarks community banks should anchor against during the FFIEC Cybersecurity Assessment Tool review (Sophos 2025 State of Ransomware; Verizon 2025 DBIR; IBM 2025 Cost of a Data Breach).
The Sophos State of Ransomware in Financial Services 2025 reported 59% of financial-services ransomware events resulted in data encryption, above the 50% cross-industry average. The IBM Cost of a Data Breach Report 2025 pegged median detection at 199 days. Both numbers anchor the conversation when the bank reads its FFIEC Cybersecurity Assessment Tool output.
Where inherent risk exceeds maturity, the bank lists each row in a gap log with an owner, a target maturity level, and a remediation date. Where maturity exceeds inherent risk, the bank documents why the over-investment is intentional, usually because growth pipeline or M&A will lift the inherent risk inside the next planning cycle. Our risk appetite statements examples page anchors the tolerance language.
Crosswalking the FFIEC Cybersecurity Assessment Tool to NIST CSF 2.0 After the August 2025 Sunset
The FFIEC retired the FFIEC Cybersecurity Assessment Tool on August 31, 2025, per FDIC FIL-43-2024 and OCC Bulletin 2024-25. The three regulator-acceptable successors are NIST CSF 2.0, the CRI Profile, and CISA’s Cybersecurity Performance Goals. Most community banks are landing on NIST CSF 2.0.
NIST CSF 2.0, published February 26, 2024, added a sixth core function: Govern. The Govern function carries the board-oversight load that previously sat in CAT Domain 1. The community bank crosswalks each FFIEC Cybersecurity Assessment Tool domain into the six CSF 2.0 functions and inherits the maturity progression through the four CSF 2.0 Implementation Tiers.
Figure 3. Crosswalk between the FFIEC Cybersecurity Assessment Tool domains and the NIST CSF 2.0 functions, where Govern carries most of the prior Domain 1 oversight load.
Migrating FFIEC Cybersecurity Assessment Tool Findings to the CSF 2.0 Profile
The community bank exports its current FFIEC Cybersecurity Assessment Tool declarative-statement scores into a working spreadsheet and tags each statement against the NIST CSF 2.0 subcategory it covers. The output is a current Target Profile for the bank under CSF 2.0. The CISA Cybersecurity Performance Goals can layer in as a control floor.
The transition does not throw away CAT history. Community banks keep three years of CAT outputs filed as trend context inside the new CSF 2.0 documentation. The Cyber Risk Institute Profile v2.0 is a sector-specific overlay built on CSF 2.0 that many community banks adopt as the formal target framework while retaining the CAT history as audit evidence.
| FFIEC CAT Domain | Primary CSF 2.0 Function | Secondary CSF 2.0 Functions | Migration Action |
| D1 Cyber Risk Management & Oversight | Govern (GV) | Identify | Rewrite governance content under GV.OC, GV.RM, GV.RR |
| D2 Threat Intelligence & Collaboration | Identify (ID) | Detect, Respond | Map intel inputs to ID.RA-02 and DE.AE-02 |
| D3 Cybersecurity Controls | Protect (PR) | Detect | Map the 220 statements to PR.AA through PR.IR |
| D4 External Dependency Management | Govern (GV.SC) | Identify, Protect | Migrate to GV.SC and ID.SC for supply chain |
| D5 Cyber Incident Management & Resilience | Respond (RS) | Recover, Detect | Move IR plan content to RS and RC categories |
Community Bank Use Cases for the FFIEC Cybersecurity Assessment Tool, Two Worked Examples
Two community bank profiles surface most often when the FFIEC Cybersecurity Assessment Tool is run today. The first is the sub-$1 billion community bank with a part-time CISO and a heavy reliance on a core processor. The second is the $1 to $10 billion community bank with FedNow, an in-house cyber team, and an active vendor portfolio. The assessment shape differs.
Worked Example, $400M Community Bank FFIEC Cybersecurity Assessment Tool Walkthrough
A $400 million asset community bank in Iowa with 6 branches and a single state footprint will land at Minimal to Moderate inherent risk and Baseline to Evolving maturity. The work pieces are usually: hire a fractional CISO, formalize the cyber risk appetite, move Domain 4 vendor reviews from annual to semi-annual, and tabletop a ransomware scenario each year. Our RCSA risk management guide carries the self-assessment cadence.
The board read at this bank is straightforward. The audit committee sees three Domains at Baseline and two at Evolving.
The CISO walks the gap log, points at four near-term moves, and books the next FFIEC Cybersecurity Assessment Tool refresh for the second quarter of the following year. Examiners read the same three pages and either accept the trajectory or write a finding.
Mid-Sized Example, $4B Community Bank FFIEC Cybersecurity Assessment Tool Walkthrough
A $4 billion asset community bank with FedNow, banking-as-a-service partnerships, and 35 critical vendors lands at Moderate to Significant inherent risk and Evolving to Intermediate maturity.
The Domain 4 gap is usually visible, and third-party breach risk is the marquee exposure. The board pack carries a vendor heat map and a fourth-party concentration call-out alongside the radar.
The crosswalk to NIST CSF 2.0 happens faster at this size because the bank has the staff. The migration usually closes inside two quarters with a documented Target Profile, mapped current state, and a 12-month maturity uplift roadmap aligned to the new CSF 2.0 Govern function. Our operational risk management framework frames the broader integration.
Frequently Asked Questions About the FFIEC Cybersecurity Assessment Tool
Is the FFIEC Cybersecurity Assessment Tool still required after August 2025?
The FFIEC Cybersecurity Assessment Tool was never mandatory. It was always voluntary. The August 31, 2025 sunset means the FFIEC stopped updating the tool, but examiners still accept CAT outputs alongside or in lieu of NIST CSF 2.0, the CRI Profile, or CISA CPGs. The exam expectation is that the bank has a written transition plan with named owners and a target date in 2026.
How many declarative statements are in the FFIEC Cybersecurity Assessment Tool?
The FFIEC Cybersecurity Assessment Tool carries 494 declarative statements distributed across five Cybersecurity Maturity Domains. Domain 3 Cybersecurity Controls holds 220, Domain 1 Cyber Risk Management & Oversight holds 98, Domain 5 Cyber Incident Management & Resilience holds 89, Domain 4 External Dependency Management holds 49, and Domain 2 Threat Intelligence & Collaboration holds 33.
Who completes the FFIEC Cybersecurity Assessment Tool at a community bank?
The CISO or information security officer typically leads the FFIEC Cybersecurity Assessment Tool walkthrough at a community bank, with input from IT operations, vendor management, internal audit, and the BCP coordinator.
The board’s audit or risk committee reviews and approves the final output annually. Smaller community banks often hire an outside advisor to facilitate the first refresh after a leadership change.
How often should community banks refresh the FFIEC Cybersecurity Assessment Tool?
The Federal Reserve, OCC, and FDIC have all signaled that the FFIEC Cybersecurity Assessment Tool should refresh at least annually and after any material change in the bank’s risk profile.
Material changes include core conversions, FedNow launches, M&A activity, a significant new third-party relationship, or any reportable cyber incident under the SEC or FDIC cyber-disclosure rules.
What is the difference between the FFIEC Cybersecurity Assessment Tool and NIST CSF 2.0?
The FFIEC Cybersecurity Assessment Tool is a financial-sector-specific tool with five domains and 494 declarative statements. NIST CSF 2.0 is a sector-agnostic framework with six functions and 106 subcategories.
CSF 2.0 added the Govern function in February 2024, formalizing board oversight. For community banks, the CSF 2.0 functions cover the same ground but in a more flexible structure used across critical-infrastructure sectors.
Can community banks use the FFIEC Cybersecurity Assessment Tool and NIST CSF 2.0 in parallel?
Yes, and most community banks do during transition. The FFIEC Cybersecurity Assessment Tool stays in the board pack for trend continuity while the CSF 2.0 Target Profile becomes the working framework. The Cyber Risk Institute Profile v2.0 sits over CSF 2.0 with banking-specific overlays, and many community banks find that the CRI Profile is the smoothest migration target.
Does the FFIEC Cybersecurity Assessment Tool cover FedNow and instant payments?
The FFIEC Cybersecurity Assessment Tool predates FedNow’s July 2023 launch, so FedNow-specific controls are not named explicitly. Community banks score FedNow under Delivery Channels in the Inherent Risk Profile and under Domain 3 Cybersecurity Controls and Domain 4 External Dependency Management on the maturity side. The Federal Reserve’s FedNow risk management resources carry the supplemental guidance.
What is the most common FFIEC Cybersecurity Assessment Tool finding for community banks?
Domain 4 External Dependency Management is the most cited domain in OCC and FDIC IT exam findings for community banks. The pattern repeats: incomplete third-party inventory, missing SOC 2 Type II reports for critical vendors, and contracts without named cyber clauses. Verizon’s 2025 DBIR confirmed third-party breaches doubled to 30% of all breaches, making Domain 4 the highest-payoff area to fix.
Common Pitfalls in the FFIEC Cybersecurity Assessment Tool at Community Banks
Five patterns surface repeatedly in OCC and FDIC IT exam reports when the FFIEC Cybersecurity Assessment Tool walkthrough goes wrong at a community bank. The table below captures the recurring miss, why it happens, and the remedy that closes the finding before the next exam cycle. None of the patterns are unique to small institutions, but each compounds faster without a dedicated cyber team.
| Pitfall | Root Cause | Remedy |
| Maturity claimed without evidence | Yes answers given to declarative statements with no document trail | Build an evidence binder linking each Yes to a policy, ticket, or test result; spot-audit 20% quarterly |
| IRP and maturity drift apart | IRP refreshed annually but maturity updated only after exams | Quarterly half-day refresh of both halves; owner named per category |
| Domain 4 vendor inventory stale | Annual third-party review cadence misses new mid-cycle vendors | Vendor onboarding gate triggers Domain 4 re-score; monthly inventory reconciliation with procurement |
| Board cannot read the output | Radar chart presented without overlay or context | Add inherent-versus-maturity overlay, 3-year trend, and gap log to every board pack |
| No transition plan after August 2025 sunset | Bank continues using CAT without naming a successor framework | Document NIST CSF 2.0 or CRI Profile target, name owner, set 2026 completion date |
| IR plan not tested with ransomware scenario | Annual tabletop covers natural disaster but not ransomware | Run one full-functional ransomware tabletop per year with retained counsel and forensics on the call |
| Findings not closed before next refresh | Gap log written but no SLA on remediation | Assign 30/60/90 day SLAs by Domain; report status to audit committee monthly |
Looking Ahead, Successors to the FFIEC Cybersecurity Assessment Tool for 2026-2027
Three forces will shape what replaces the FFIEC Cybersecurity Assessment Tool at US community banks between 2026 and 2027. The first is regulator convergence. The Federal Reserve, OCC, and FDIC have signaled that NIST CSF 2.0 is the de facto standard. Community banks that adopt the CRI Profile inherit CSF 2.0 with banking-specific overlays.
The second force is third-party concentration risk. Verizon’s 2025 DBIR put third-party share at 30% of all breaches. The Treasury’s Cloud Executive Steering Group and CISA’s cross-sector CPGs will both push community banks toward stronger Domain 4 controls. Our supply chain risk management plan guide anchors the work, alongside the integrated risk management approach page.
The third force is the SEC and FDIC cyber disclosure rules. Public community banks face the SEC’s 8-K cyber-incident rule from December 2023, and FDIC-supervised banks face the FDIC computer-security incident notification rule from May 2022. Both rules raise the cost of poor Domain 5 maturity. Our incident response plan vs business continuity guide sets the boundary.
The community bank that runs one final FFIEC Cybersecurity Assessment Tool walkthrough as a baseline, crosswalks to NIST CSF 2.0 inside 2026, and re-anchors Domain 4 against the Verizon DBIR trendline is the bank that will absorb those three forces with the smallest scorecard rewrite.
The assessment is the visible artifact. The underlying discipline (quarterly refresh, named owners, evidence-backed maturity) carries the program forward into the post-CAT era.
Next Steps After Your FFIEC Cybersecurity Assessment Tool Walkthrough
Risk Publishing helps US community banks finish one last FFIEC Cybersecurity Assessment Tool refresh and then build the NIST CSF 2.0 Target Profile the next examiner expects. Review the advisory services page to see how the engagement runs, and contact the practice when the community bank cyber assessment is the next item on the audit committee agenda.
Get the FFIEC CAT → NIST CSF 2.0 Crosswalk Workbook Excel file with all 494 declarative statements pre-mapped to the six CSF 2.0 functions, including the new Govern function. Editable, 2026-ready
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.