Credit union advisory

The FFIEC CAT is gone. Your examiner still wants a maturity story.

On August 31, 2025 the Cybersecurity Assessment Tool was retired. The NCUA's ACET now maps to NIST CSF 2.0 — and boards are asking what changed, what carries over, and what to put in front of the next exam. This guide answers all three. No jargon, no checklists for their own sake.

Written by a practicing credit union vCISO who runs NCUA-aligned maturity assessments and quantified (FAIR) risk for boards — not a vendor reselling a platform.

Get the transition guide

Free · 14 pages · sent to your inbox immediately

First name

Last name

Work email

Credit union

Asset size

Your role

We'll email the guide and occasional credit union security briefings. No spam, unsubscribe anytime. See our privacy policy.

Check your inbox

The guide is on its way. If it doesn't arrive in a few minutes, check spam or email us directly.

What's inside

Built for the transition, not the theory

01

What actually changed

A side-by-side of the retired CAT versus the ACET Maturity Assessment, including how ACET statements now map to NIST CSF 2.0 — and what genuinely carries over from your last assessment.

02

What the examiner expects

The documentation and maturity evidence NCUA examiners look for during the transition window, and the gaps that most often draw findings.

03

A 90-day plan

A board-ready sequence for moving your program onto CSF 2.0 without re-doing years of work — plus a one-page summary for your supervisory committee.

Why this is different

Real-world experience, not a sales deck

vCISO

Active credit union engagement, not a vendor pitch

NCUA

Hands-on ACET / NIST CSF 2.0 assessment experience

FAIR

Cyber risk quantified in dollars, for the board

8-K

Incident materiality & disclosure advisory background