On August 29, 2024, the Office of the Comptroller of the Currency issued Bulletin 2024-25 announcing that the Federal Financial Institutions Examination Council Cybersecurity Assessment Tool would sunset on August 31, 2025. Supervised financial institutions were directed to transition to NIST Cybersecurity Framework 2.0, the CISA Cross-Sector Cybersecurity Performance Goals, the CISA sector-specific Cybersecurity Performance Goals, the Cyber Risk Institute’s Cyber Profile, and the CIS Critical Security Controls.
This is a banking-sector compliance event. It is also one of the cleanest recent templates for what dynamic compliance change actually looks like, and it has direct relevance to healthcare for three reasons. First, healthcare and financial services share many regulated entities through revenue-cycle vendors, payment processors, and healthcare fintech. Second, the replacement frameworks the OCC named — CSF 2.0, CISA CPGs, CIS Controls — are the same frameworks healthcare organizations already use, which means the bulletin’s logic transfers cleanly. Third, the sunset demonstrates a pattern healthcare should expect: voluntary tools are retired in favor of cross-sector frameworks aligned to current cybersecurity practice, not because the underlying controls were wrong but because the cross-sector frameworks better reflect modern threat landscape.
This post explains what the FFIEC CAT sunset did, why the OCC chose the replacements it did, and what healthcare leaders should take from the transition.
What the FFIEC CAT Was
The FFIEC Cybersecurity Assessment Tool, released in 2015, was a voluntary self-assessment tool that helped financial institutions identify their inherent risk profile and cybersecurity maturity. It organized cybersecurity activities into five domains — Cyber Risk Management and Oversight, Threat Intelligence and Collaboration, Cybersecurity Controls, External Dependency Management, and Cyber Incident Management and Resilience — with maturity levels from baseline to innovative.
The CAT became operational guidance for federal banking examiners and a de facto required artifact for many supervised institutions. Banks built compliance programs around CAT domains, examination evidence around CAT maturity declarations, and board reporting around CAT scoring.
For ten years, this worked. By 2024, the CAT lagged. NIST CSF 2.0 (February 2024) added the Govern function and updated category structure. CISA Cross-Sector CPGs v2.0 (December 2025) provided cost/impact/ease-of-implementation ratings tied to specific practices. The CIS Controls v8 reorganized cybersecurity practices around the modern threat landscape. The CAT’s 2015-era domain structure no longer represented current practice.
What the OCC Bulletin Said
The OCC bulletin made four important moves.
It sunsetted CAT on a fixed date. August 31, 2025 was non-negotiable. Institutions had roughly 12 months to transition.
It named specific replacements. Not just “modern frameworks” but explicit reference to CSF 2.0, CISA Cross-Sector CPGs, sector-specific CPGs, CIS Controls v8, and the CRI Cyber Profile.
It acknowledged the underlying controls remained sound. The OCC explicitly noted that the fundamental controls in CAT remain valid. The replacement was about framework currency and cross-sector alignment, not about discrediting prior work.
It implied future direction without fixing it. The OCC retained discretion to evolve guidance further and aligned with what FFIEC and CISA jointly publish.
The structural pattern matters more than the specifics. A federal supervisor sunsetted a voluntary tool, named replacements that align to cross-sector frameworks, and gave institutions a planning window with a hard date. The transition was orderly and preserved investment in underlying controls.
Why This Pattern Will Recur in Healthcare
Healthcare has its own pre-CSF-2.0 era artifacts. The HHS HPH Cybersecurity Performance Goals were aligned to the original CSF function structure when introduced. As CSF 2.0 adoption accelerates, the HPH CPGs and other healthcare-specific tools will need to align too. The pattern will likely repeat:
- A voluntary healthcare-specific tool gets retired or restructured.
- Replacement guidance aligns to CSF 2.0, CISA CPGs, and updated NIST publications.
- Healthcare entities are given a planning window to transition documentation, examination evidence, and board reporting.
- Underlying controls remain valid; the framework currency is the issue.
The specific timeline depends on HHS and OCR action, which has been steady but not aggressive. The HIPAA Security Rule NPRM is the most consequential current example of the pattern; the proposed rule explicitly addresses changes in technology and emerging issues, which is the same logic that produced the FFIEC CAT sunset.
What Healthcare Should Take from the Bulletin
Three lessons generalize.
Build to the cross-sector frameworks, not to the sector-specific tools. A healthcare program built primarily on CSF 2.0, CISA CPGs, and CIS Controls is forward-compatible with whatever the next healthcare-specific tool replacement looks like. A program built primarily on a sector-specific tool will need to migrate when that tool is retired or restructured.
Treat sector-specific tools as profiles, not foundations. HHS HPH CPGs, the FFIEC CAT, the CRI Cyber Profile, and similar tools are most useful as sector-tailored views on top of cross-sector frameworks. Investing in them as standalone foundations creates migration cost.
Maintain a control mapping that survives framework change. A harmonization matrix mapping internal controls to HIPAA, CSF 2.0, CISA CPGs, CIS Controls, NIST SP 800-53, and customer contractual clauses survives any single framework’s retirement. The matrix is the evidence-engineering anchor; specific framework views are derivatives.
The single-artifact, multi-authority evidence engineering framing applies directly. Anchor artifacts plus a control-mapping matrix produce framework agility; framework-specific artifacts produce framework lock-in.
Why This Matters for Healthcare Fintech and Revenue-Cycle Vendors
Some healthcare-adjacent businesses are directly affected by the OCC bulletin today, not just by analogy.
Revenue-cycle vendors that operate through bank relationships may inherit FFIEC examination context through their banking partners. Healthcare fintech businesses (payment processors, lending platforms tied to healthcare receivables, patient-financing services) often face direct FFIEC supervision. Optum Bank and similar healthcare-tied financial entities face dual sector supervision.
For these businesses, the CAT sunset is operationally direct. They need to transition their own cybersecurity examination evidence to CSF 2.0 alignment by August 31, 2025, regardless of whether their primary regulator is healthcare or banking.
For pure healthcare entities, the bulletin is cross-sector context, not direct supervision. But the pattern it sets — sunset of a voluntary tool, replacement with cross-sector frameworks, fixed transition window — is the pattern healthcare entities should expect to see in their own sector over the next three to five years.
What to Track
Three signals matter for the broader pattern through 2027:
- HHS and OCR alignment of HIPAA-related guidance and tools to CSF 2.0 explicitly. The HIPAA Security Rule NPRM is the largest current signal; smaller alignment moves around HPH CPGs and SP 800-66 Rev. 2 are likely.
- CISA CPG version updates and the cross-sector / sector-specific divergence pattern.
- CRI Cyber Profile updates as it absorbs the role the FFIEC CAT used to play in financial services.
The FFIEC CAT sunset is not a healthcare event. It is the cleanest recent demonstration of how dynamic compliance change actually unfolds in a U.S. critical-infrastructure sector, and the operational lessons transfer cleanly to healthcare programs that want to be ready for the next sunset before it is announced.
Sources
- Office of the Comptroller of the Currency. (2024, August 29). FFIEC Cybersecurity Assessment Tool sunset statement (OCC Bulletin 2024-25).
- NIST. (2024). Cybersecurity Framework 2.0 (CSWP 29).
- CISA. (2025). Cross-Sector Cybersecurity Performance Goals (Version 2.0).
- HHS. (2024). Healthcare and Public Health Cybersecurity Performance Goals.
- HHS. (2025). HIPAA Security Rule NPRM. 90 Fed. Reg. 898.
- Center for Internet Security. (2021). CIS Critical Security Controls v8.
Soft CTA
Need help putting this into practice?
We can help you turn the idea into an action plan, implementation checklist, or review of the controls that matter most.