.png?width=400&name=SBSIWebinarsBundles_WebMenu%20(1).png)
With the sunset of the FFIEC Cybersecurity Assessment Tool (CAT), many financial institutions are looking for a trusted, modern framework to guide their cybersecurity efforts. SBS CyberSecurity has released a NIST Cybersecurity Framework (CSF) module within the TRAC governance, risk, and compliance (GRC) software, offering both free and premium options to help financial institutions navigate this shift with confidence. This FAQ answers common questions about the NIST CSF module, how it compares to other frameworks like the Cyber Risk Institute (CRI) Profile, and what’s next for TRAC users.
Frequently Asked Questions About the TRAC NIST CSF Module
- Which cybersecurity framework does SBS recommend for financial institutions now that the CAT is being phased out?
- Is the NIST CSF a good fit for smaller financial institutions?
- Which cybersecurity framework does SBS recommend for nonfinancial institutions?
- Has SBS replaced the free CAT TRAC module with a free NIST CSF module?
- What’s included in the free NIST CSF module, and what does the premium version offer?
- How do I enable the NIST CSF module in TRAC?
- Is TRAC's ISP Assessment NIST-based?
- Does SBS offer a CRI Profile module within TRAC?
- Can TRAC users map their existing CAT data to the NIST or CRI Profile modules?
- Will the FFIEC launch a replacement for the CAT?
Which cybersecurity framework does SBS recommend for financial institutions now that the CAT is being phased out?
There has been no formal recommendation from the FFIEC or any regulatory body on which framework financial institutions should adopt. However, SBS recommends two widely accepted options: NIST CSF 2.0 and the CRI Profile.
The NIST CSF is the most broadly adopted cybersecurity framework globally and provides a flexible structure for building and assessing an information security program (ISP). It’s particularly useful for institutions that prefer a high-level, adaptable approach.
The CRI Profile, built on the NIST CSF, is tailored specifically for financial institutions. All of its controls are mapped back to corresponding NIST CSF controls, creating clear alignment. It also incorporates regulatory requirements from the FFIEC, CISA, and others — making it a strong choice for organizations focused on compliance.
Is the NIST CSF a good fit for smaller financial institutions?
Smaller banks often find the NIST CSF more manageable than other frameworks. While both the NIST CSF and CRI Profile are valid choices, the NIST CSF’s smaller scope and flexible approach make it a strong fit for institutions that want solid cybersecurity coverage without added complexity.
Which cybersecurity framework does SBS recommend for nonfinancial institutions?
While the right framework will depend on an organization’s specific needs, the NIST CSF was designed to be broadly applicable. It’s a strong choice for any institution — regardless of industry — that wants to improve its cybersecurity posture in a structured, scalable way.
Has SBS replaced the free CAT TRAC module with a free NIST CSF module?
Yes. SBS now offers a free version of the NIST CSF module in TRAC as a potential replacement for the FFIEC CAT module. A premium version is also available, offering advanced features such as enhanced reporting and maturity tracking. Institutions can choose the version that best fits their needs.
What’s included in the free NIST CSF module, and what does the premium version offer?
TRAC users can access a basic version of the NIST CSF module for free, regardless of whether they previously used the CAT module. This version includes:
- Statement review: Respond to each NIST CSF statement.
- Implementation examples: Reference guidance and best practices.
- Basic reporting: Document rationale and generate a foundational report.
The premium version expands significantly on that foundation, adding advanced functionality to support maturity tracking, action planning, and deeper integration across the TRAC platform. Key premium features include:
- Maturity goal tracking: Set and monitor progress for each statement.
- Selective reporting: Exclude specific NIST CSF questions from reports.
- Control ownership assignment: Assign responsibility across your team.
- Documentation uploads: Link to files or upload supporting evidence.
- Flagging for follow-up: Mark controls that need more attention.
- TRAC module integrations: Connect to TRAC’s Action Tracking, ISP, and Business Continuity Management (BCM) modules.
- Enhanced reporting: Generate executive summaries and flagged item reports.
- CAT-to-NIST mapping: Transfer existing CAT data into the NIST CSF module.
How do I enable the NIST CSF module in TRAC?
You can access the free version by selecting “Get Started Free” on the NIST CSF module page or by contacting an SBS account executive.
Is TRAC's ISP Assessment NIST-based?
Yes. TRAC’s ISP Assessment module was built as an organizationwide risk assessment and incorporates elements from several frameworks, including the NIST CSF.
Does SBS offer a CRI Profile module within TRAC?
Yes. The CRI Profile module is now live in TRAC, providing tailored controls mapped to NIST CSF and designed specifically for financial institutions focused on compliance. Contact us to schedule a demo.
Can TRAC users map their existing CAT data to the NIST or CRI Profile modules?
Yes. TRAC now includes a mapping tool that allows users to transfer their FFIEC CAT data into either framework module. This functionality is available in the premium NIST CSF module and in the CRI Profile module. While the tool streamlines the transition, it’s still recommended to review all controls, as mappings may not be one-to-one.
Will the FFIEC launch a replacement for the CAT?
As of now, the FFIEC has no public plans to release a replacement. Financial institutions are being encouraged to select a framework that best supports their goals.
Ready to Transition?
The shift away from the FFIEC CAT presents an opportunity for financial institutions to adopt a more flexible and modern approach to cybersecurity. With TRAC’s new NIST CSF module — available in both free and premium tiers — organizations can align with a globally recognized standard while gaining tools to manage risk more effectively. SBS’s ongoing development of additional modules and mapping tools ensures TRAC remains a forward-looking platform to support your evolving cybersecurity strategy.
