Introducing FFIEC Maturity Assessment Support

We all know financial institutions and credit unions need to be cyber secure. That’s not a surprise to anyone in 2021. But cybersecurity is a moving target and is often difficult to establish in organizations with numerous departments, processes and vendors. That’s why the Federal Financial Institutions Examination Council (FFIEC) built the Cybersecurity Maturity Assessment.

The FFIEC Cybersecurity Maturity Assessment gives organizations a detailed matrix to help them understand their sophistication across the following five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

The five domains are broken down into “Assessment Factors” (see image below), and each assessment factor is composed of contributing components. 

Image from FFIEC Cybersecurity Assessment Tool—Overview for Chief Executive Officers and Boards of Directors pdf.

For example, Domain 4: External Dependency Management has two assessment factors and related contributing components:

  • Assessment Factor: Connections
    • Connections
  • Assessment Factor: Relationship Management
    • Due Diligence
    • Contracts
    • Ongoing Monitoring


To understand your cybersecurity maturity, you must categorize each contributing component maturity as Baseline, Evolving, Intermediate, Advanced or Innovative. FFIEC provides declarative statements that describe exactly what your organization must be doing to meet each level for every contributing component. Once you’ve identified the maturity of each contributing component, you can identify the assessment factor and domain maturity levels by identifying the lowest level of all their contributing components. FFIEC emphasizes that “all declarative statements in each maturity level, and previous levels, must be attained and sustained to achieve that domain’s maturity level.”

Image from FFIEC Cybersecurity Assessment Tool—Overview for Chief Executive Officers and Boards of Directors pdf.


Our goal at Tugboat Logic is to demystify compliance, so FFIEC is an important addition to our roster of supported frameworks. 

Today Tugboat Logic’s FFIEC Maturity Assessment is available to Enterprise customers. It helps you understand how well your existing cybersecurity processes correspond with your desired cybersecurity maturity level in each of the five domains. But benchmarking your current state of compliance is only part of the battle. We also pave the way to level up your maturity in each domain through automation and mapping, strengthening your security posture quickly and efficiently.  And, as with all of our frameworks, it’s easy to monitor your ongoing compliance so you can always be confident your controls are operational.  

At Tugboat Logic, we don’t take it lightly when we say we “support a framework.” While you can upload your own policies and controls, support means access to custom content and a team of experts available to walk you through the process from start to finish. We provide policies that are built to comply with every framework we support and industry best practices. There are also custom-built controls that include implementation guidance that you can easily edit to customize for your organization. If that’s not enough, our team is here to provide extra support on how you can increase your cybersecurity maturity. Additionally, our evidence tasks are built to fulfill the framework requirements while reducing your effort—upload evidence once and it applies to all relevant frameworks and audit projects. 

Just like our other frameworks, the FFIEC Maturity Assessment has been custom designed and built by our in-house team of experts. Our Labs team consists of ex-Big Four auditors with extensive training conducting audits, working with clients on compliance and advising companies. They’re industry experts and their knowledge and expertise are the foundation of our supported frameworks. And thanks to the insights of our customers and the wisdom of our audit partners, everything is tailored to meet the highest of industry standards.

Our customer success team is also highly specialized and supports all of our clients. The CS team includes more former Big Four auditors, compliance experts and product specialists. So if you need help with your scoping survey or implementing controls, they can walk you through the process and answer any other questions you may have.

FFIEC’s Maturity Assessment helps financial institutions build and monitor additional lines of defense in their cybersecurity battle. We’re here to support you every step of the way. 

Contact us to learn more today!