For more than a decade, the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (CAT) provided community financial institutions with a structured way to measure cybersecurity maturity. It was practical, examiner-aligned, and accessible. But as institutions transition to the National Institute of Standards and Technology Cybersecurity Framework (CSF), many are discovering that the shift is not about adding more controls, it is about expanding depth, governance, and accountability.
As identified in our recent webinar, these three outcomes in particular tend to expose gaps: identity assertions (PR.AA-04), risk registers (ID.RA-06), and supply chain risk (GV.SC-01).
Under the CAT, authentication was typically evaluated at a high level. Examiners and institutions alike focused on whether strong authentication mechanisms, such as multifactor authentication (MFA), were implemented. If MFA was enabled and password policies were documented, the box was largely checked.
NIST CSF PR.AA-04 moves the conversation deeper. It requires institutions not only to authenticate users but to understand and protect the identity assertions themselves. Identity assertions include tokens, Kerberos tickets, SAML assertions, OAuth claims, and other artifacts that allow systems to trust that a user or service has been authenticated elsewhere.
In modern banking environments, especially those leveraging single sign-on (SSO), federated identity, cloud-hosted cores, and SaaS platforms, authentication no longer lives in a single system. Instead, it relies on a web of trust relationships across identity providers and service providers.
This introduces practical challenges:
For institutions accustomed to evaluating authentication as a control, this outcome requires architectural visibility and tighter coordination between IT operations, cloud administrators, and security governance.
The CAT emphasizes that risk assessments are performed and that management processes exist. Most institutions can demonstrate annual risk assessments, remediation plans, board reporting, and audit follow-ups.
However, NIST CSF ID.RA-06 expects something more disciplined: a formal, centralized, living risk register.
A true risk register includes:
During a CSF transition, many institutions realize that risk is being managed, but not consolidated. Findings live in audit trackers. Vulnerabilities sit in scanning tools. Vendor concerns are buried in due diligence files. Strategic risks appear in board decks.
What is often missing is a single system of record tying all of those risk sources together.
This is less a technical gap and more a governance evolution. It requires executive ownership, disciplined documentation, and ongoing lifecycle management. It also changes board reporting from “Here are our assessment results” to “Here are our prioritized enterprise cybersecurity risks and our treatment decisions.”
Traditional FFIEC guidance frames vendor risk through third-party risk management: due diligence reviews, contract clauses, SOC reports, and monitoring direct vendors.
NIST CSF GV.SC-01 broadens the aperture to cybersecurity supply chain risk management.
This includes:
For many institutions, this feels uncomfortable because visibility decreases as dependency layers increase. The challenge becomes less about collecting SOC 2 reports and more about understanding systemic exposure.
For example:
Meeting this outcome requires tighter integration between cybersecurity, enterprise risk management, procurement, and executive leadership.
The most important takeaway in moving from the CAT to the NIST CSF is this: the challenge is not primarily technical.
It is conceptual.
The CAT asks, “Do we have controls?”
The CSF asks, “Do we understand, govern, and continuously manage risk across identities, decisions, and dependencies?”
That shift, from control presence to risk lifecycle governance, is where institutions feel the friction. Identity becomes architectural. Risk becomes traceable and owned. Vendors become interconnected ecosystems rather than isolated contracts.
For community financial institutions, especially, this transition can feel heavy at first. But when implemented well, it produces something stronger than compliance: clarity. And clarity, around identity trust, enterprise risk posture, and supply chain exposure, is what ultimately strengthens resilience in an increasingly interconnected banking environment.
Bedel Security is here to help your institution transition from the CAT Tool to NIST CSF with our CySPOT® CSF+ product. Contact us today for more information!