Compliance frameworks are the vocabulary of regulated enterprise security — but they are often discussed as if leadership teams already understand what they mean and how they relate to each other. Most don't. Here is a plain-language explanation of the three frameworks most relevant to banking and mortgage leaders, what they actually require, and how they fit together.

FFIEC: The Regulatory Baseline

The Federal Financial Institutions Examination Council — FFIEC — is an interagency body that establishes examination standards for US financial institutions. When your bank examiner or state regulator evaluates your cybersecurity program, they are almost certainly using FFIEC guidance as the baseline for that evaluation.

The most important FFIEC document for cybersecurity is the Cybersecurity Assessment Tool (CAT), which provides a structured framework for evaluating cybersecurity preparedness. The CAT maps your organization's inherent risk profile — based on the complexity of your technology environment and business activities — against your cybersecurity maturity across five domains:

FFIEC Cybersecurity Assessment Tool — Five Domains

  • Cyber Risk Management and Oversight: Board and management oversight of cybersecurity risk, governance structures, and strategic planning
  • Threat Intelligence and Collaboration: How the organization identifies and responds to evolving threat intelligence
  • Cybersecurity Controls: Technical and operational controls for protecting systems and data
  • External Dependency Management: Third-party and vendor risk management
  • Cyber Incident Management and Resilience: Detection, response, and recovery capabilities

The FFIEC CAT produces a maturity rating across these domains — Baseline, Evolving, Intermediate, Advanced, or Innovative — and regulators expect that your maturity level is appropriate for your inherent risk profile. A highly complex financial institution operating with Baseline maturity in critical domains is a significant examination finding.

For mortgage companies, the FFIEC guidance applies through the examination authority of state regulators and the CFPB. Mortgage servicers and originators handling significant volumes of consumer financial data are expected to maintain cybersecurity programs that would meet FFIEC examination standards, even if they are not depository institutions subject to direct FFIEC examination.

NIST: The Technical Standard

The National Institute of Standards and Technology Cybersecurity Framework — NIST CSF — is not a regulatory requirement. It is a voluntary framework, developed by NIST in collaboration with industry, that provides a common language and structured approach for managing cybersecurity risk.

Despite being voluntary, NIST CSF has become the de facto technical standard for cybersecurity programs across regulated industries in the US. Regulators frequently reference it. Cyber insurance underwriters use it. Vendor security assessments are often structured around it. And the FFIEC CAT maps directly to NIST CSF functions.

The NIST CSF organizes cybersecurity activities into six core functions:

NIST CSF Six Core Functions

  • Govern: Organizational context, risk management strategy, and cybersecurity policies (added in CSF 2.0)
  • Identify: Asset management, risk assessment, and understanding of your cybersecurity environment
  • Protect: Safeguards to protect critical systems and data — access controls, training, data security
  • Detect: Capabilities to identify cybersecurity events in a timely manner
  • Respond: Incident response planning and execution
  • Recover: Recovery planning and resilience to restore capabilities after an incident

NIST CSF 2.0 — released in 2024 — added the Govern function explicitly, reflecting the regulatory and governance community's emphasis on board-level accountability for cybersecurity. This addition has significant implications for how regulated enterprises structure their cybersecurity governance and reporting.

SOC 2: The Third-Party Signal

SOC 2 — System and Organization Controls 2 — is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). Unlike FFIEC and NIST, which are frameworks you apply to your own organization, SOC 2 is a report that a third-party auditor produces about your organization's controls.

SOC 2 reports evaluate controls across five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most organizations pursue SOC 2 Type II reports — which cover a period of time (typically six to twelve months) rather than a point-in-time assessment — because they provide stronger assurance about the consistent operation of controls.

For regulated enterprises, SOC 2 matters in two directions. First, you may be required to provide SOC 2 reports to your customers, regulators, or business partners as evidence of your security program. Second, you should be requiring SOC 2 reports from your technology vendors as part of your third-party risk management program — a SOC 2 Type II report is often the most efficient way to evaluate a vendor's security posture for the scope it covers.

"SOC 2 is not a security program — it's evidence that specific controls were operating effectively during a defined period. Organizations that treat SOC 2 compliance as a proxy for security maturity are creating false confidence."

How These Frameworks Interact

The practical relationship between FFIEC, NIST, and SOC 2 for a regulated financial services or mortgage company typically works as follows:

FFIEC sets your regulatory floor. Your cybersecurity program must be able to demonstrate maturity appropriate to your risk profile under FFIEC examination standards. This is non-negotiable for regulated institutions.

NIST provides your technical architecture. NIST CSF gives your security team a structured, comprehensive framework for organizing controls, assessing gaps, and communicating program status. Building your program around NIST CSF means it will map cleanly to FFIEC requirements and be legible to any security professional or regulator who reviews it.

SOC 2 provides third-party evidence. SOC 2 Type II reports — yours, and those of your critical vendors — provide independently verified evidence of control operation that strengthens your regulatory posture and your vendor risk management program simultaneously.

What Leadership Teams Need to Know

Board members and executive leaders don't need to understand the technical details of these frameworks. They do need to understand several things:

  1. Whether your organization's cybersecurity maturity is appropriate for your risk profile under FFIEC standards — and what the gap is if it isn't
  2. Whether your cybersecurity program is structured around a recognized framework (NIST CSF is the right answer for most regulated enterprises) that provides a credible basis for assessment and improvement
  3. Whether your critical technology vendors have current SOC 2 Type II reports, and whether your vendor management program requires and reviews them
  4. What your most significant cybersecurity gaps are, how they are being remediated, and on what timeline

If your CISO or security leadership cannot answer these questions for your board in clear, non-technical language, that is the finding — and it is more important than any specific technical gap in your security program.

Know Your Compliance and Security Posture

TRam Enterprise's Cybersecurity & Compliance Assessment evaluates your security program against FFIEC, NIST, and SOC 2 requirements and delivers a board-ready findings report in 3–4 weeks.