Montana’s financial institutions, both banks and credit unions, have long relied on the FFIEC’s Cybersecurity Assessment Tool (CAT) as a voluntary framework for assessing cyber risk. But change is on the horizon. On August 31, 2025, the Federal Financial Institutions Examination Council (FFIEC) will officially retire the CAT, ushering in a shift in how cybersecurity is approached across the sector. 

This announcement is more than just a procedural update. It signals a broader evolution in cybersecurity governance and expectations, emphasizing the need for institutions to realign their strategies with modern frameworks and tools. Let’s unpack what this sunset means for Montana’s financial sector and how institutions can prepare. 

Why Is the CAT Being Retired?

Released in 2015, the CAT was designed to help institutions assess their cybersecurity preparedness in a structured, repeatable way. It provided a framework built on maturity levels and standardized security controls.

However, cybersecurity threats, and the frameworks to mitigate them, have evolved dramatically since 2015. In recent years, agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have released updated resources that better reflect current best practices.

Rather than retrofitting the CAT to align with these newer tools, the FFIEC has opted to sunset the CAT entirely. This allows institutions to adopt more agile, forward-looking cybersecurity tools and frameworks that better align with today’s threat landscape.

What This Means for Montana Banks and Credit Unions

A Shift Toward Modern Cybersecurity Frameworks

With the CAT’s retirement, supervised institutions are being directed toward more comprehensive and up-to-date cybersecurity tools, including: 

• NIST Cybersecurity Framework 2.0: A flexible and customizable framework that allows institutions to build cybersecurity practices tailored to their unique risk profiles. 
• CISA Cybersecurity Performance Goals (CPGs): Cross-sector and soon-to-be sector-specific goals that provide clear and measurable benchmarks for cybersecurity performance. 
• Cyber Risk Institute (CRI) Cyber Profile: An industry-developed tool designed to align with supervisory expectations while supporting dynamic cyber risk management. 
• Center for Internet Security (CIS) Critical Security Controls: A prioritized set of actions to help mitigate the most pervasive cyber threats. 

Each of these tools offers a more contemporary and scalable approach than the CAT, supporting a more proactive cybersecurity stance.

Compliance and Examination Expectations

It’s important to note that while the CAT was never a formal examination program, many Montana institutions used it as a de facto standard during exam preparation. Going forward, financial institutions are encouraged, but not mandated, to adopt one or more of the above frameworks.

FFIEC members have emphasized that examiners will continue taking a risk-focused approach, which means no single tool is required, but your cybersecurity posture must be defensible and appropriate to your institution’s size, complexity, and risk profile.

Examiners may also explore areas not explicitly addressed by current tools, underscoring the importance of a flexible, layered, and well-documented cybersecurity strategy.

What About Credit Unions?

While the CAT is being retired, the National Credit Union Administration (NCUA) has clarified that it will continue supporting the Automated Cybersecurity Examination Toolbox (ACET). The ACET is based on the CAT and remains available as a voluntary self-assessment tool via the NCUA website.

This gives Montana credit unions an option to continue leveraging a familiar tool, at least in the short term, but institutions should still consider how evolving frameworks like NIST CSF 2.0 and CISA’s upcoming Financial Sector Performance Goals might offer greater long-term value and alignment with industry expectations.

Strategic Takeaways for Montana Institutions

1. Don’t Wait Until 2025 

While the CAT won’t be officially removed until August 31, 2025, now is the time to begin the transition. Evaluate your current cybersecurity practices and consider how alternative frameworks could better support your goals and compliance obligations. 

2. Conduct a Gap Analysis 

Compare your current use of the CAT (or ACET) against newer tools like NIST CSF 2.0 and the CRI Cyber Profile. Identify gaps in coverage, maturity, and risk alignment. 

3. Engage Your IT and Security Partners 

Partner with trusted IT professionals, like the team at First Call, to ensure you’re not just checking boxes, but truly strengthening your institution’s cyber resilience. We can help you interpret new frameworks, identify practical steps, and implement meaningful improvements. 

4. Prepare for Examiner Expectations 

Keep in mind that your choice of tools should support a comprehensive control environment. Examiners will want to see how your cybersecurity program maps to risk, integrates with your business strategy, and is updated regularly. 

Resources to Explore Now

To get ahead of the transition, Montana financial institutions should become familiar with the following resources: 

• NIST Cybersecurity Framework 2.0 
• CISA Cybersecurity Performance Goals 
• Sector-Specific Goals for Financial Institutions (Coming Soon) 
• CRI Cyber Profile 
• CIS Critical Security Controls 

Each of these resources offers free guidance and tools that can be adapted for institutions of any size. 

Looking Ahead, A Stronger, More Flexible Future

The FFIEC’s decision to retire the CAT may feel like a loss of a familiar tool, but it’s ultimately a move toward better cybersecurity resilience. Montana banks and credit unions have an opportunity to embrace new frameworks that are not only more current but also more flexible and robust.

At First Call Computer Solutions, we’re here to help our local financial institutions understand and adapt to this shift. Whether you’re exploring new assessment tools, planning a gap analysis, or preparing for your next regulatory exam, our cybersecurity and compliance experts are ready to support you every step of the way.

Need guidance on transitioning from the CAT to a modern cybersecurity framework?

Let’s talk about how First Call can help you align your cybersecurity strategy with tomorrow’s expectations.