FFIEC Cybersecurity Assessment Tool
Best for: U.S. financial institutions regulated by the Federal Reserve, FDIC, OCC, NCUA, or state banking departments, including banks, credit unions, savings associations, and bank holding companies. No revenue or asset threshold applies; the CAT is a voluntary self-assessment tool. The FFIEC sunset it effective August 31, 2022, so examiners no longer require it, but institutions may still use it internally.
๐ Federal Financial Institutions Examination Council (FFIEC), a formal interagency body comprising the Federal Reserve Board, FDIC, OCC, NCUA, CFPB, and the State Liaison Committee. ยท FFIEC CAT (2015) Official source โ
Get Started
module "..." {
source = "ffiec.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Audit Trail and Logging: Ten controls check the full CloudTrail lifecycle: multi-region configuration, S3 data event logging for both read and write operations, CloudWatch integration, log group retention periods, and alarm action enablement.
- Encryption and Certificate Management: Checks ACM certificate expiration within 30 days, SSL certificate attachment on API Gateway stages, backup recovery point encryption, and absence of plaintext sensitive values in CodeBuild environment variables.
- Network and Perimeter Security: Validates WAF web ACL association on API Gateway stages and flags Auto Scaling launch configurations that assign public IPs to instances intended to stay private.
- Backup and Disaster Recovery: Four controls confirm backup plan minimum retention of 35 days, recovery point minimum retention of 35 days, manual deletion protection on recovery points, and health check configuration on Auto Scaling groups behind load balancers.
- Sensitive Data Handling: Detects plaintext AWS credentials and sensitive values in CodeBuild project environment variables. Flags configurations where secrets should use Parameter Store or Secrets Manager instead.
What you handle
- Audit Trail and Logging: Log review procedures, a security operations function staffed to act on alerts, incident escalation documentation, and examiner-ready evidence that logs are reviewed, not just collected.
- Encryption and Certificate Management: Establishing a key management policy, defining approved encryption algorithms, managing certificate renewal workflows, and documenting encryption standards in your information security program.
- Network and Perimeter Security: WAF rule tuning, firewall change management procedures, network segmentation documentation, and periodic penetration testing to validate perimeter controls.
- Backup and Disaster Recovery: Business continuity plan documentation, annual DR testing with documented results, recovery time objective validation, and examiner-ready evidence that backups are actually restorable.
- Sensitive Data Handling: Data classification per your information classification policy, DLP controls beyond infrastructure configuration, and developer training on secure credential handling.
Controls by Category
Cyber Incident Management and Resilience: Backup and Recovery (1 control)
Domain 5 requires tested backup and recovery capabilities, not just configured ones. Examiners want evidence that retention meets your BCP requirements, that recovery points are protected against premature deletion (ransomware resilience), and that health checks enable automatic failover. The recurring challenge is proving that recovery point objectives align with documented BCP/DR plans.
Detective Controls: Audit Trail and Monitoring (5 controls)
Domain 3's Detective Controls factor centers on visibility. Examiners check whether logs are centralized, retained per policy and regulatory expectations (the CAT sets no fixed 365-day minimum), and configured to alert on anomalous activity. The most common gap: CloudTrail enabled in only one region, or S3 data event logging missing entirely, which leaves significant blind spots.
compliance.tf module Log group retention period should be at least 365 days compliance.tf module Preventative Controls: Data Protection and Encryption (1 control)
Under Domain 3 Preventative Controls, examiners verify that data in transit and at rest is encrypted using current standards. Expired or soon-to-expire TLS certificates, plaintext credentials in build configurations, and unencrypted backups are recurring findings. Institutions must also show that encryption key management aligns with the institution's risk appetite and that sensitive values never appear in plaintext configuration.
Additional Controls (77)
AWS Database Migration Service (1)
AWS IAM (7)
AWS Lambda (4)
compliance.tf module Lambda functions should be configured with a dead-letter queue compliance.tf module Lambda functions should be in a VPC compliance.tf module Lambda functions should restrict public URL compliance.tf module Amazon DynamoDB (1)
Amazon EBS (2)
compliance.tf module EBS volume encryption at rest should be enabled compliance.tf module Amazon EC2 (4)
compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module Ensure IAM instance roles are used for AWS resource access from instances compliance.tf module Amazon EFS (2)
compliance.tf module EFS file systems should be encrypted with CMK compliance.tf module Amazon EMR (1)
Amazon ElastiCache (1)
Amazon OpenSearch Service (3)
compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (16)
compliance.tf module RDS DB instance and cluster enhanced monitoring should be enabled compliance.tf module RDS DB instance automatic minor version upgrade should be enabled compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances backup retention period should be greater than or equal to 7 compliance.tf module RDS DB instances should be integrated with CloudWatch logs compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS for MariaDB DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should not use public subnet compliance.tf module RDS for PostgreSQL DB instances should publish logs to CloudWatch Logs compliance.tf module RDS DB instances should prohibit public access compliance.tf module RDS for SQL Server DB instances should publish logs to CloudWatch Logs compliance.tf module Amazon Redshift (9)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module AWS Redshift should have automatic upgrades to major versions enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift enhanced VPC routing should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module AWS Redshift should have required maintenance settings compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (12)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket ACLs should not be accessible to all authenticated user compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 buckets object logging should be enabledS3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module Amazon SageMaker (1)
Amazon VPC (1)
Elastic Load Balancing (8)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module Application and Network Load Balancers with listeners should use recommended security policies compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module Application and Network Load Balancer listeners should use secure protocols to encrypt data in transit compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module ELB network load balancers should have TLS listener security policy configured compliance.tf module ELB listeners SSL/TLS protocol version should be checked compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Is the FFIEC CAT mandatory, or is it optional guidance?
The CAT is voluntary. No law or regulation requires its use. FFIEC announced the sunset effective August 31, 2022 and confirmed it will not be updated. Examiners assess cybersecurity through FFIEC handbooks and agency procedures; institutions may still use the CAT internally, but there is no examiner requirement to do so.
How long does a full FFIEC CAT self-assessment take?
For a community bank or credit union, expect 2 to 4 weeks of staff time across IT, compliance, and risk management. The Inherent Risk Profile takes a few days; the Cybersecurity Maturity assessment is the bulk of the work, requiring evidence gathering across all five domains. Larger institutions with complex environments and multiple business lines may need 6 to 8 weeks. The first assessment always takes the longest; subsequent annual updates go faster if you maintain your evidence repository.
How does the Inherent Risk Profile affect what maturity level I need?
The CAT uses a matrix. Your Inherent Risk Profile score (Least, Minimal, Moderate, Significant, or Most) determines the minimum cybersecurity maturity level expected. A Least-risk institution may only need Baseline maturity; a Significant-risk institution needs at least Intermediate, and examiners may push for Advanced in specific domains. Most mid-size banks land at Moderate risk, which requires Evolving maturity at minimum.
What is the relationship between FFIEC CAT and the FFIEC IT Examination Handbooks?
The CAT complements the IT Examination Handbooks but does not replace them. The handbooks (Information Security, Business Continuity, Outsourcing Technology Services, and others) contain the detailed examination procedures that examiners follow. The CAT is a higher-level self- assessment that maps to concepts in the handbooks. Think of the handbooks as the examiner's detailed playbook and the CAT as a self-check tool institutions can use between exams.
Can compliance.tf cover all 50 FFIEC controls in this benchmark?
The 50 controls in this benchmark are the infrastructure configuration checks that can be automated via Terraform and Steampipe. They cover a meaningful subset of the CAT's Cybersecurity Controls domain (Domain 3), particularly Preventative and Detective controls. The full CAT spans governance, risk assessment, threat intelligence, vendor management, incident response, and training, none of which can be validated through infrastructure scanning alone. Expect compliance.tf to automate roughly 30-40% of your evidence needs, with the remainder requiring policy documentation, process evidence, and human attestation.