Skip to content
Close
SEARCH
Contact Us
Contact Us
Consulting Services
Auditing Services
Cybersecurity Testing
Visit our FAQ Hub for answers to commonly asked questions
TRAC-Logo
 

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC is a powerful GRC tool that automates the tedious risk assessment process and delivers customized results aligned with regulations, best practices, and your strategic goals.

Learn More
Schedule a Live Demo
TRAC Modules
Other Products

Logo_Institute

Uniquely dedicated to delivering industry-leading, quality education that instills confidence and empowers you to take security into your own hands.

Certifications
Membership
SBS Institute Webinar Bundles
Certifications for Managers
Certifications for Executives
Technical Certifications
Webinars
Speaking Engagements
Resources
Who We Are
Why Choose SBS?
Blog_HeaderGradients-12
Bret RockAugust 21, 20255 min read

Moving Beyond the FFIEC CAT: Guide to the CRI Profile Module in TRAC

Move from CAT to Cyber Risk Institute Profile with TRAC | SBS
5:57

As the FFIEC Cybersecurity Assessment Tool (CAT) phases out, financial institutions are preparing to adopt the Cyber Risk Institute (CRI) Profile — a framework designed specifically to help manage cyber risk while meeting compliance requirements. SBS CyberSecurity now offers the CRI Profile module within the TRAC governance, risk, and compliance (GRC) platform. This module helps financial institutions smoothly transition from the CAT and take a modern approach to cybersecurity and regulatory compliance. This FAQ covers common questions about the CRI Profile module, its features, and how it can help strengthen your risk management program now and moving forward.

 

Frequently Asked Questions About the TRAC CRI Profile Module

 

Which cybersecurity framework does SBS recommend for financial institutions as the CAT phases out?

Currently, the FFIEC and other regulatory bodies have not issued an official recommendation on which framework financial institutions should adopt. SBS advises considering two well-established frameworks: the CRI Profile and NIST Cybersecurity Framework (CSF) 2.0.

The CRI Profile, developed specifically for financial institutions, is built on the NIST CSF foundation. Its controls map directly to NIST CSF while incorporating regulatory expectations from the FFIEC, CISA, and others. This makes it a strong fit for financial institutions seeking a compliance-focused framework tailored to their sector.

The NIST CSF is widely recognized and offers a flexible, high-level structure for building and evaluating an information security program (ISP). It’s a solid choice for organizations looking for adaptability across industries.

 

What is the CRI Profile, and how does it differ from the FFIEC CAT?

The CRI Profile was created by CRI as a potential replacement option for the FFIEC CAT. Based on NIST CSF 2.0, it combines more than 2,500 regulatory expectations into one framework, making it an excellent option for any financial institution that wants a CAT replacement built specifically for them.

While both the FFIEC CAT and the CRI Profile are designed to help financial institutions assess and improve their cybersecurity posture, the CRI Profile is considerably shorter, more expansive in scope, and is updated much more routinely than the CAT, positioning it as an excellent replacement option.

 

 

Is the CRI Profile suitable for smaller financial institutions or community banks?

Unlike the more industry-agnostic NIST CSF, the CRI Profile was specifically designed for financial institutions of all sizes. It begins with a nine-question Impact Tiering Questionnaire that tailors the depth and scope of the assessment to match the institution’s size, complexity, and risk profile, making it scalable and practical whether you're a community bank or a global firm.

 

How does the CRI Profile help streamline compliance and examination readiness?

By using language and terminology familiar to financial institutions, the CRI Profile not only helps institutions of all sizes prepare for regulatory exams and audits. It also provides a clear, structured view of their cybersecurity posture, highlighting actionable steps to strengthen defenses and better protect customers.

 

What features are included in the CRI Profile module, and how does it support financial institutions?

The CRI Profile module of TRAC includes the full assessment framework, the Impact Tiering Questionnaire, regulatory mapping, and detailed control expectations — all designed to help financial institutions align with multiple regulatory requirements, identify gaps, and prioritize improvements. Whether you're tracking progress, preparing for an exam, or building a stronger cyber program, the module provides the tools and clarity to support every step.

 

How do I enable and use the CRI Profile module in TRAC?

To get a proposal to license the CRI Profile module of TRAC, please contact us or schedule a demo.

 

LIVE MODULE DEMOS Take a Closer Look at TRAC Discover how TRAC supports your cybersecurity framework transition in an expert-led walk-through of the NIST CSF and CRI Profile modules.  

 

Can TRAC users map their existing CAT data to the CRI Profile or NIST CSF modules for a smoother transition?

We have recently released a tool to map your answers from the TRAC FFIEC CAT module into either the CRI Profile or premium NIST CSF module where applicable. While this mapping tool will help streamline the process, it’s important to review your assessments carefully since not all controls align perfectly.

 

Does SBS offer a NIST CSF module within TRAC?

SBS currently offers both a free and premium NIST CSF module. While each version allows users to respond to an assessment created from the CSF 2.0, the premium version offers additional reporting capabilities, customization options, the ability to set target goals and have TRAC monitor progress, and other beneficial features.

 

Will the FFIEC launch an official replacement for the CAT?

At this time, the FFIEC has no public plans to introduce a replacement for the CAT. Institutions are encouraged to adopt the framework that most effectively supports their cybersecurity and compliance goals.

 

Ready to Make the Shift?

As the FFIEC CAT phases out, financial institutions have an opportunity to adopt a cybersecurity framework designed specifically for their needs. TRAC’s CRI Profile module offers a comprehensive, compliance-focused solution tailored to the financial sector. With this module, organizations can streamline risk management and examination readiness while benefiting from SBS’s ongoing enhancements and mapping tools. TRAC remains a forward-looking platform built to support your institution’s evolving cybersecurity strategy with confidence and clarity.

Blog_Lock&Line-Gray

Take Control of Cyber Risk with TRAC

See TRAC in Action
Get a firsthand look at how TRAC streamlines risk management and compliance with a personalized NIST CSF and CRI Profile demo.
Request a Demo
Explore TRAC’s Features
Discover how TRAC enhances cyber risk management, simplifies compliance, and strengthens security oversight.
Learn More
Talk to a Risk Expert
Connect with the SBS team to discuss how TRAC can support your institution's cybersecurity strategy.
Get in Touch

 
avatar

Bret Rock

Bret Rock is the Business Development and Product Specialist at SBS CyberSecurity. Before joining the SBS team in 2015, he spent 9 years in leadership roles at a state banking association.

RELATED ARTICLES