---
title: "NIST CSF 2.0 supersedes CAT for FFIEC cybersecurity compliance"
description: "NIST CSF 2.0 supersedes CAT for FFIEC cybersecurity compliance"
url: "https://www.certifiedinfosec.com/resources/blog/10"
date: "2026-07-15T04:29:39+00:00"
language: "en-GB"
---

#  Certified Information Security Blog

 <a class="close btn-close" data-bs-dismiss="alert" data-dismiss="alert"></a>

  #  NIST CSF 2.0 supersedes CAT for FFIEC cybersecurity compliance. Don't get caught out this August.

 [  ](#)- [ Home](https://www.certifiedinfosec.com/resources/blog)

- [ Print](https://www.certifiedinfosec.com/resources/blog/print/10-nist-csf-2-0-supersedes-cat-for-ffiec-cybersecurity-compliance-dont-get-caught-out-this-august "Print")
- [ PDF](https://www.certifiedinfosec.com/resources/blog/pdf/10-nist-csf-2-0-supersedes-cat-for-ffiec-cybersecurity-compliance-dont-get-caught-out-this-august "PDF")
- [ Subscribe](https://www.certifiedinfosec.com/javascript:void(0) "Subscribe")
- [ Report](https://www.certifiedinfosec.com/javascript:void(0) "Report")
- Last updated: September 1, 2025 10:30
- Created: May 10, 2025 20:03
- 2 min read
- Hits: 1482
- Rating:
    - [](https://www.certifiedinfosec.com/javascript:void(0);)
    - [](https://www.certifiedinfosec.com/javascript:void(0);)
    - [](https://www.certifiedinfosec.com/javascript:void(0);)
    - [](https://www.certifiedinfosec.com/javascript:void(0);)
    - [](https://www.certifiedinfosec.com/javascript:void(0);)

 - [Next »](https://www.certifiedinfosec.com/resources/blog/9-introduction-to-ai-in-business-the-5th-industrial-revolution-session-3)

 ![NIST CSF 2.0 supersedes CAT for FFIEC cybersecurity compliance. Don't get caught out this August.](https://www.certifiedinfosec.com/components/com_rsblog/assets/images/blog/10.jpg?nocache=6a570cb332148)

The [FFIEC is retiring its Cybersecurity Assessment Tool (CAT) by August 31, 2025](https://www.ffiec.gov/resources/cat#:~:text=The%20FFIEC%20will%20remove%20the%20CAT%20from,Infrastructure%20Security%20Agency%27s%20(CISA)%20Cybersecurity%20Performance%20Goals), and recommends that financial institutions transition to the **NIST Cybersecurity Framework 2.0 (CSF 2.0)** as an alternative. This shift is driven by the need for more updated and comprehensive cybersecurity frameworks as threats evolve. **Time is running out for supervised financial institutions to transition to deploy and assess cybersecurity according to NIST CSF 2.0.**

## Why the change?

The FFIEC determined that the CAT, while helpful, wasn't being updated to reflect newer government resources like NIST CSF 2.0 and CISA's (U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency) [Cybersecurity Performance Goals](https://www.cisa.gov/cross-sector-cybersecurity-performance-goals). NIST CSF 2.0 offers a more comprehensive and up-to-date framework for managing cybersecurity risks (in IT, OT, and IoT), encompassing a wider range of controls and aligning with other government resources.

## Transitioning to NIST CSF 2.0

Financial institutions will need to conduct gap analyses, map existing assessments to NIST CSF 2.0, develop NIST CSF 2.0 implementation roadmaps, and engage internal and external stakeholders (including its supply chain) to ensure a smooth transition.

### Preparing for the transition to NIST CSF 2.0

The organizational scope of applicability of NIST CSF 2.0 is quite broad. Recently release in February 2024, this new framework is not just for Information Technology - it is equally applicable and relevant for all Operations Technology, mobile devices, and IoT.

Financial institutions can't properly deploy or assess cybersecurity according to NIST CSF 2.0 without first understanding how to do the job. Since NIST CSF 2.0 requires proof of training and competence for specialized roles in its own desired outcome objective described in [CSF 2.0 PR.AT-02](https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-at/pr-at-02/), institutions supervised by the FFIEC need to quickly train and certify top management (116 of CSF 2.0's recommended implementation actions are explicitly for cybersecurity risk program governance) in NIST CSF 2.0 in particular, regardless of existing cybersecurity competence and skills.

Roles requiring provable CSF 2.0 competence and skills (to comply with CSF 2.0 PR.AT-02) CSF 2.0 training and competence include:

- Chief Information Officers (CIO)
- Chief Information Security Officers (CISO)
- Chief Security Officers (CSO)
- Security Analysts
- Chief Technology Officers (CTO)
- Chief Audit Executives (CAE)
- Chief Risk Officers (CRO)
- Compliance managers
- Chief Compliance Officers (COO)
- Compliance Analysts
- Chief Privacy Officers (CPO)
- Data Protection Officers (DPO)
- Internal auditors
- IT managers
- Security Operations (SecOps) team members

## Getting NIST CSF 2.0 training and proof of competence (professional certification)

A quick Google search shows the training and certification programs currently available for NIST: <https://www.google.com/search?q=nist+csf+2.0+lead+lead+auditor>.

Certified Information Security provides NIST CSF 2.0 Lead Implementer and NIST CSF 2.0 Lead Auditor training and certification. Live classes are open for registration at locations throughout the US and Caribbean, and all live classes are simulcast for hybrid presentation supporting budget-friendly remote attendance. Learn more at[ https://www.certifiedinfosec.com/event-calendar](https://www.certifiedinfosec.com/event-calendar).

Certified Information Security provides NIST CSF 2.0 Lead Implementer and NIST CSF 2.0 Lead Auditor training and certification. Live classes are open for registration at locations throughout the US and Caribbean, and all live classes are simulcast for hybrid presentation supporting budget-friendly remote attendance. [Learn more](https://www.certifiedinfosec.com/event-calendar).

## NIST CSF 2.0 professional credentials

- [NIST CSF 2.0 Lead Implementer](https://www.certifiedinfosec.com/services/certification-programs/iso-27001-information-security/nist-cyber-security-framework-lead-implementer)
- [NIST CSF 2.0 Lead Auditor](https://www.certifiedinfosec.com/services/certification-programs/iso-27001-information-security/nist-cybersecurity-framework-2-0-lead-auditor)

 - Posted in:
- [Blog](https://www.certifiedinfosec.com/resources/blog/category/3-blog),
- [Cybersecurity](https://www.certifiedinfosec.com/resources/blog/category/4-cybersecurity)
- Tagged with:
- [cybersecurity](https://www.certifiedinfosec.com/resources/blog/tag/1-cybersecurity),
- [information security](https://www.certifiedinfosec.com/resources/blog/tag/3-information-security),
- [nist csf](https://www.certifiedinfosec.com/resources/blog/tag/9-nist-csf),
- [privacy](https://www.certifiedinfosec.com/resources/blog/tag/10-privacy),
- [cybersecurity framework](https://www.certifiedinfosec.com/resources/blog/tag/11-cybersecurity-framework)

  ### Authors

 [![Allen Keele (Moderator)](https://www.gravatar.com/avatar/2029daa0d62ba9f6b256197c0a8825ab?d=%2Fmedia%2Fcom_rsblog%2Fimages%2Fuser.png)](https://www.certifiedinfosec.com/resources/blog/profile/7773)

####  Allen Keele (Moderator)

For over 25 years, I’ve worked at the intersection of governance, risk, and cybersecurity.As Principal of Certified Information Security (CIS), I’ve advised Fortune 500 companies, enterprises, heavily regulated industries (banks, governments) worldwide on implementing and sustaining:

- ISO 27001 Information Security Management Systems
- NIST Cybersecurity Framework (CSF 2.0) programs
- Enterprise Risk &amp; Compliance strategies based on ISO 31000, ISO 37301, and ISO 22301𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 𝗶𝗻𝗰𝗹𝘂𝗱𝗲:▸ 4,000+ leaders and practitioners 𝘵𝘳𝘢𝘪𝘯𝘦𝘥 &amp; 𝘤𝘦𝘳𝘵𝘪𝘧𝘪𝘦𝘥 𝘪𝘯 𝘎𝘙𝘊 and cybersecurity framework

𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁𝘀 𝗶𝗻𝗰𝗹𝘂𝗱𝗲:

► 4,000+ leaders and practitioners 𝘵𝘳𝘢𝘪𝘯𝘦𝘥 &amp; 𝘤𝘦𝘳𝘵𝘪𝘧𝘪𝘦𝘥 𝘪𝘯 𝘎𝘙𝘊 and cybersecurity frameworks
► 40+ 𝘥𝘪𝘨𝘪𝘵𝘢𝘭 𝘢𝘯𝘥 𝘭𝘪𝘷𝘦 𝘵𝘳𝘢𝘪𝘯𝘪𝘯𝘨 𝘱𝘳𝘰𝘨𝘳𝘢𝘮𝘴 used by corporate teams and government agencies globally
► Enterprise engagements with organizations such as Amazon, the NSA, and dozens of central banks
► Authored 7 books on enterprise risk, cybersecurity, and governance frameworks

My focus is helping organizations bridge the gap between policy and operational reality in information security, enterprise risk, and compliance.

Whenever you’re ready, here’s how I can help:

1️⃣ Executive &amp; Practitioner Training – train &amp; certify your team in NIST CSF 2.0, ISO 27001, ISO 31000, ISO 22301.

2️⃣Rapid ISO 27001 &amp; NIST CSF 2.0 Readiness Assessments – pinpoint gaps and accelerate compliance.

3️⃣ Enterprise GRC Program Design – build practical governance and risk management systems that last.

Explore programs at www.certifiedinfosec.com or drop me a message to arrange a quick discovery call.

**Contact:** <https://www.certifiedinfosec.com/home/contact-us>; +1 (904) 406-4311.

- [Next »](https://www.certifiedinfosec.com/resources/blog/9-introduction-to-ai-in-business-the-5th-industrial-revolution-session-3)

 ![](https://www.certifiedinfosec.com/media/com_rscomments/images/loader.gif)

  [  My comments ](https://www.certifiedinfosec.com/javascript:void(0); "This will show all of your comments.")   [  Subscribe ](https://www.certifiedinfosec.com/javascript:void(0) "Subscribe")

 [ Show comment form ](#rscomments-accordion-content-91ee96f50687e2c6c5b1907d3554018b)

[](https://www.certifiedinfosec.com/javascript:void(0); "Bold")[](https://www.certifiedinfosec.com/javascript:void(0); "Italic")[](https://www.certifiedinfosec.com/javascript:void(0); "Underline")[](https://www.certifiedinfosec.com/javascript:void(0); "Stroke")

[](https://www.certifiedinfosec.com/javascript:void(0); "Quote")[](https://www.certifiedinfosec.com/javascript:void(0); "Emoticons")[](https://www.certifiedinfosec.com/javascript:void(0); "Preview")

[![:confused:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/confused.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:cool:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/cool.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:cry:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/cry.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:laugh:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/laugh.gif)](https://www.certifiedinfosec.com/javascript:void(0);)

[![:lol:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/lol.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:normal:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/normal.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:blush:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/redface.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:rolleyes:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/rolleyes.gif)](https://www.certifiedinfosec.com/javascript:void(0);)

[![:sad:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/sad.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:shocked:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/shocked.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:sick:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/sick.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:sleeping:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/sleeping.gif)](https://www.certifiedinfosec.com/javascript:void(0);)

[![:smile:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/smile.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:surprised:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/surprised.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:tongue:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/tongue.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:unsure:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/unsure.gif)](https://www.certifiedinfosec.com/javascript:void(0);)

[![:whistle:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/whistling.gif)](https://www.certifiedinfosec.com/javascript:void(0);)[![:wink:](https://www.certifiedinfosec.com/media/com_rscomments/images/emoticons/wink.gif)](https://www.certifiedinfosec.com/javascript:void(0);)

 [](https://www.certifiedinfosec.com/javascript:void(0); "Close preview")

  ![](https://www.certifiedinfosec.com/media/com_rscomments/images/loader.gif) 1000 Characters left

---

  Subscribe

  [ I agree to the terms and conditions. ](https://www.certifiedinfosec.com/javascript:void(0))

  ![](https://www.certifiedinfosec.com/media/com_rscomments/images/loader.gif)

### Terms &amp; Conditions

 [I Agree](https://www.certifiedinfosec.com/javascript:void(0))[Close](https://www.certifiedinfosec.com/javascript:void(0))

### Subscribe

### Report

### My comments

###

## Schema

```json
{ "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [ { "@type": "ListItem", "position": 1, "name": "Home", "item": "https://www.certifiedinfosec.com" }, { "@type": "ListItem", "position": 2, "name": "Blog", "item": "https://www.certifiedinfosec.com/resources/blog" }, { "@type": "ListItem", "position": 3, "name": "NIST CSF 2.0 supersedes CAT for FFIEC cybersecurity compliance. Don't get caught out this August.", "item": "https://www.certifiedinfosec.com/resources/blog/10" } ] }
```
