Why These NIST CSF Outcomes Can Be Challenging When Moving from the FFIEC CAT

For more than a decade, the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (CAT) provided community financial institutions with a structured way to measure cybersecurity maturity. It was practical, examiner-aligned, and accessible. But as institutions transition to the National Institute of Standards and Technology Cybersecurity Framework (CSF), many are discovering that the shift is not about adding more controls, it is about expanding depth, governance, and accountability.

As identified in our recent webinar, these three outcomes in particular tend to expose gaps: identity assertions (PR.AA-04), risk registers (ID.RA-06), and supply chain risk (GV.SC-01).

Identity Assertions (PR.AA-04): Beyond “Do We Have MFA?”

Under the CAT, authentication was typically evaluated at a high level. Examiners and institutions alike focused on whether strong authentication mechanisms, such as multifactor authentication (MFA), were implemented. If MFA was enabled and password policies were documented, the box was largely checked.

NIST CSF PR.AA-04 moves the conversation deeper. It requires institutions not only to authenticate users but to understand and protect the identity assertions themselves. Identity assertions include tokens, Kerberos tickets, SAML assertions, OAuth claims, and other artifacts that allow systems to trust that a user or service has been authenticated elsewhere.

In modern banking environments, especially those leveraging single sign-on (SSO), federated identity, cloud-hosted cores, and SaaS platforms, authentication no longer lives in a single system. Instead, it relies on a web of trust relationships across identity providers and service providers.

This introduces practical challenges:

• Do we know where identity assertions are being created and consumed?
• Are tokens encrypted in transit and at rest?
• How long are assertions valid?
• How are privileged service accounts asserting identity across systems?

For institutions accustomed to evaluating authentication as a control, this outcome requires architectural visibility and tighter coordination between IT operations, cloud administrators, and security governance.

Risk Register (ID.RA-06): From Activity to Accountability

The CAT emphasizes that risk assessments are performed and that management processes exist. Most institutions can demonstrate annual risk assessments, remediation plans, board reporting, and audit follow-ups.

However, NIST CSF ID.RA-06 expects something more disciplined: a formal, centralized, living risk register.

A true risk register includes:

• Documented risks with clear statements
• Assigned risk owners
• Inherent and residual risk ratings
• Treatment decisions (mitigate, transfer, accept, avoid)
• Status tracking over time

During a CSF transition, many institutions realize that risk is being managed, but not consolidated. Findings live in audit trackers. Vulnerabilities sit in scanning tools. Vendor concerns are buried in due diligence files. Strategic risks appear in board decks.

What is often missing is a single system of record tying all of those risk sources together.

This is less a technical gap and more a governance evolution. It requires executive ownership, disciplined documentation, and ongoing lifecycle management. It also changes board reporting from “Here are our assessment results” to “Here are our prioritized enterprise cybersecurity risks and our treatment decisions.”

Supply Chain Risk (GV.SC-01): Beyond Third-Party Due Diligence

Traditional FFIEC guidance frames vendor risk through third-party risk management: due diligence reviews, contract clauses, SOC reports, and monitoring direct vendors.

NIST CSF GV.SC-01 broadens the aperture to cybersecurity supply chain risk management.

This includes:

• Downstream dependencies (subcontractors used by your vendors)
• Cloud infrastructure providers supporting SaaS platforms
• API integrations with fintech partners
• Managed service providers with shared tooling
• Shared service ecosystems

For many institutions, this feels uncomfortable because visibility decreases as dependency layers increase. The challenge becomes less about collecting SOC 2 reports and more about understanding systemic exposure.

For example:

• If your core processor relies on a specific cloud region, what concentration risk exists?
• If multiple vendors rely on the same authentication provider, what cascading impact could occur?
• Are cybersecurity supply chain considerations formally embedded into enterprise risk governance?

Meeting this outcome requires tighter integration between cybersecurity, enterprise risk management, procurement, and executive leadership.

The Real Shift: Depth, Scope, and Continuous Governance

The most important takeaway in moving from the CAT to the NIST CSF is this: the challenge is not primarily technical.

It is conceptual.

The CAT asks, “Do we have controls?”

The CSF asks, “Do we understand, govern, and continuously manage risk across identities, decisions, and dependencies?”

That shift, from control presence to risk lifecycle governance, is where institutions feel the friction. Identity becomes architectural. Risk becomes traceable and owned. Vendors become interconnected ecosystems rather than isolated contracts.

For community financial institutions, especially, this transition can feel heavy at first. But when implemented well, it produces something stronger than compliance: clarity. And clarity, around identity trust, enterprise risk posture, and supply chain exposure, is what ultimately strengthens resilience in an increasingly interconnected banking environment.

Bedel Security is here to help your institution transition from the CAT Tool to NIST CSF with our CySPOT® CSF+ product. Contact us today for more information!