FFIEC Cybersecurity Assessment Tool
Due to the increasing volume and sophistication of cyber threats, the FFIEC developed the Cybersecurity Assessment Tool (Assessment) on behalf of its members to help institutions identify risks and determine their cybersecurity maturity.
The content of the Assessment is consistent with the principles of the FFIEC Information Technology Examination Handbook (IT Handbook) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as industry-accepted cybersecurity practices.
The Assessment provides institutions with a repeatable and measurable process to inform management of their institution’s risks and cybersecurity preparedness and consists of two parts:
- Inherent Risk Profile
- Cybersecurity Maturity
The Inherent Risk Profile identifies the institution’s inherent risk before implementing controls.
The Cybersecurity Maturity includes domains, assessment factors, components, and individual declarative statements across five maturity levels to identify specific controls and practices that are in place. While management can determine the institution’s maturity level in each domain, the Assessment is not designed to identify an overall cybersecurity maturity level.
To complete the Assessment, management first assesses the institution’s inherent risk profile based on five categories:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
Management then evaluates the institution’s Cybersecurity Maturity level for each of five domains:
- Cyber Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cybersecurity Controls
- External Dependency Management
- Cyber Incident Management and Resilience