Software Engineering Institute

This technical note describes the methodology we used and the observations we made while mapping the declarative statements found in the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) to the practice questions found in the Cyber Resilience Review (CRR). This mapping enables financial organizations to use CRR results not only to gauge their cyber resilience, but to examine their current baseline with respect to the FFIEC CAT and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The mapping in this technical note is proposed by three senior engineers from the CERT Division of the Carnegie Mellon University Software Engineering Institute; these engineers are skilled in conducting CRRs and familiar with all practice questions and question guidance. Two also have the advantage of several years of experience in the financial sector. The team relied on their experience along with previous mappings of the CRR and FFIEC CAT to the NIST CSF to propose the mapping in this technical note.