Skip to Content

We invite you to try out our new beta eCFR site at We’ve made big changes to make the eCFR easier to use. Be sure to leave feedback using the 'Help' button on the bottom right of each page!


Agency Information Collection Activities: Information Collection Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool

Document Details

Information about this document as published in the Federal Register.

Document Statistics
Document page views are updated periodically throughout the day and are cumulative counts for this document. Counts are subject to sampling, reprocessing and revision (up or down) throughout the day.
Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of the Comptroller of the Currency (OCC), Treasury.


: Notice and request for comment.


The OCC, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies), as part of their continuing effort to reduce paperwork and respondent burden, invite the general public and other federal agencies to take this opportunity to comment on a continuing information collection as required by the Paperwork Reduction Act of 1995 (PRA).

In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.

The OCC is soliciting comment on behalf of the Agencies concerning renewal of the information collection titled, “FFIEC Cybersecurity Assessment Tool” (“Assessment”).


Comments must be submitted on or before June 4, 2019.


Commenters are encouraged to submit comments by email, if possible. You may submit comments by any of the following methods:

  • Email:
  • Mail: Chief Counsel's Office, Office of the Comptroller of the Currency, Attention: 1557-0328, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
  • Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
  • Fax: (571) 465-4326.

Instructions: You must include “OCC” as the agency name and “1557-0328” in your comment. In general, the OCC will publish comments on without change, including any business or personal information provided, such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

You may review comments and other related materials that pertain to this information collection beginning on the date of publication of the second notice for this collection [1] by any of the following methods:

  • Viewing Comments Electronically: Go to Click on the “Information Collection Review” tab. Underneath the “Currently under Review” section heading, from the drop-down menu, select “Department of Treasury” and then click “submit.” This information collection can be located by searching by OMB control number “1557-0328” or “FFIEC Cybersecurity Assessment Tool.” Upon finding the appropriate information collection, click on the related “ICR Reference Number.” On the next screen, select “View Supporting Statement and Other Documents” and then click on the link to any comment listed at the bottom of the screen.
  • For assistance in navigating, please contact the Regulatory Information Service Center at (202) 482-7340.
  • Viewing Comments Personally: You may personally inspect comments at the OCC, 400 7th Street SW, Washington, DC. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700 or, for persons who are deaf or hearing impaired, TTY, (202) 649-5597. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to security screening in order to inspect comments.
Start Further Info


Shaquita Merritt, OCC Clearance Officer, Carl Kaminski, Special Counsel, or Priscilla Benner, Attorney (202) 649-5490, for persons who are deaf or hearing impaired, TTY, (202) 649-5597, Chief Counsel's Office, Office of the Comptroller of the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

End Further Info End Preamble Start Supplemental Information


Under the PRA (44 U.S.C. et seq.), federal agencies must obtain approval from OMB for each collection of information they conduct or sponsor. “Collection of information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The definition contained in 5 CFR 1320.3(c) also includes a voluntary collection. Section 3506(c)(2)(A) of title 44 requires federal agencies to provide a 60-day notice in the Federal Register concerning each proposed collection of information, including each proposed extension of an existing collection of information, before submitting the collection to OMB for approval. To comply with this requirement, the OCC is publishing, on behalf of the Agencies, a notice of the proposed collection of information set forth in this document.

Title: FFIEC Cybersecurity Assessment Tool.

OMB Number: 1557-0328.

Description: Cyber threats continue to evolve and increase exponentially with greater sophistication. Financial Start Printed Page 13787institutions [2] are exposed to cyber risks because they are dependent on information technology to deliver services to consumers and businesses every day. Cyber attacks on financial institutions may result in unauthorized access to, and the compromise of, confidential information, as well as the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect a financial institution's operations and core processes and undermine confidence in the nation's financial services sector. Absent immediate attention to these rapidly increasing threats, financial institutions and the financial sector as a whole are at risk.

For this reason, the Agencies, under the auspices of the Federal Financial Institutions Examination Council (“FFIEC”), have worked diligently to assess and enhance the state of the financial industry's cyber preparedness and to improve the Agencies' examination procedures and training to strengthen the oversight of financial industry cybersecurity readiness. The Agencies also have focused on providing financial institutions with resources that can assist in protecting them and their customers from the growing risks posed by cyber attacks.

As part of these efforts, the Agencies developed the Assessment to assist financial institutions of all sizes in assessing their inherent cyber risks and their risk management capabilities. The Assessment allows a financial institution to identify its inherent cyber risk profile based on the technologies and connection types, delivery channels, online/mobile products and technology services that it offers to its customers, its organizational characteristics, and the cyber threats it is likely to face. Once a financial institution identifies its inherent cyber risk profile, it can use the Assessment's maturity matrix to evaluate its level of cybersecurity preparedness based on the financial institution's cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning. A financial institution may use the matrix's maturity levels to identify opportunities for improving the financial institution's cyber risk management based on its inherent risk profile. The Assessment also enables a financial institution to rapidly identify areas that could improve the financial institution's cyber risk management and response programs, as appropriate. Use of the Assessment by financial institutions is voluntary.

Type of Review: Regular.

Affected Public: Businesses or other for-profit.

Burden Estimates: [3]

Assessment burden estimateEstimated number of respondents less than $500 million @80 hoursEstimated number of respondents $500 million -$10 billion @120 hoursEstimated number of respondents $10 billion -$50 billion @160 hoursEstimated number of respondents over $50 billion @180 hoursEstimated total respondents and total annual burden hours
OCC National Banks and Federal Savings Associations823 × 80 = 65,840 hours157 × 120 = 18,840 hours123 × 160 = 19,680 hours82 × 180 = 14,760 hours1,185 respondents 119,120 hours.
FDIC State Non-Member Banks and State Savings Associations2,689 × 80 = 215,120 hours760 × 120 = 91,200 hours34 × 160 = 5,440 hours6 × 180 = 1,080 hours3,489 respondents 312,840 hours.
Board State Member Banks and Bank Holding Companies2,768 × 80 = 221,440 hours766 × 120 = 91,920 hours81 × 160 = 12,960 hours26 × 180 = 4,680 hours3,641 respondents 331,000 hours.
NCUA Federally-Insured Credit Unions4,830 × 80 = 386,400 hours536 × 120 = 64,320 hours8 × 160 = 1,280 hours1 × 180 = 180 hours5,375 respondents 452,180 hours.
Total11,110 × 80 = hours = 888,8002,219 × 120 hours = 266,280 hours246 hours × 160 = 39,360 hours115 hours × 180 = 20,700 hours13,690 respondents 1,215,140 hours.

Comments submitted in response to this notice will be summarized and included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on:

(a) Whether the collection of information is necessary for the proper performance of the functions of the Agencies, including whether the information has practical utility;

(b) The accuracy of the Agencies' estimates of the burden of the collection of information;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Start Signature

Dated: March 29, 2019.

Theodore J. Dowd,

Deputy Chief Counsel, Office of the Comptroller of the Currency.

End Signature End Supplemental Information


1.  Following the close of the 60-day comment period for this notice, the OCC will publish a notice for 30 days of comment for this collection.

Back to Citation

2.  For purposes of this information collection, the term “financial institution” includes banks, savings associations, credit unions, and bank holding companies.

Back to Citation

3.  Burden is estimated conservatively and assumes all institutions will complete the Assessment. Therefore, the estimated burden may exceed the actual burden because use of the Assessment by financial institutions is not mandatory. The burden estimates for financial institutions include technology service providers who may assist financial institutions in completing their Assessments.

Back to Citation

[FR Doc. 2019-06644 Filed 4-4-19; 8:45 am]