Voluntary cybersecurity goals developed for and by the financial sector

Financial Services
Sector-Specific Goals

Financial Services Sector-Specific Goals (FS-SSGs) are a subset of the CRI Profile’s Impact Tier 4

The U.S. Treasury and Financial Services Sector Coordinating Council (FSSCC) have released the Financial Services Sector-Specific Goals (FS-SSGs) as a voluntary set of minimum expectations for the financial sector.

These goals, based on the CRI Profile, aim to align with established standards and frameworks, using the CRI Profile’s Tier 4 control objectives to define two levels:

  • FS-SSG “Baseline”
  • FS-SSG “Moderate”
  • They are a subset of the NIST CSF-based CRI Profile and are voluntary.
  • The FS-SSGs are NOT new expectations or requirements for the financial sector.

The financial services sector is highly regulated and mature in cybersecurity risk management. In fact, Tier 4 of the CRI Profile is the minimum expectation for U.S.-supervised entities.

However, the sector is deeply interconnected with other industries and third parties, which may not always meet this cybersecurity maturity level. These third-party risks are a central concern for both U.S. and global regulators.

By using the CRI Profile, the FS-SSGs establish clear minimum expectations for cybersecurity in the financial sector.

The FS-SSGs aim to enhance the cybersecurity maturity of the entire financial sector, while recognizing that even the smallest financial institutions face high regulatory expectations, as shown in the Tier 4 diagnostic statements of the CRI Profile.

The Cybersecurity and Infrastructure Security Agency’s (CISA) Cross-Sector Cybersecurity Performance Goals (CCPGs) outline basic cybersecurity practices for all critical infrastructure sectors.

While the financial services sector generally exceeds the Cross-Sector CPGs due to existing regulations, there is a need to enhance cybersecurity for less regulated parts of our sector and third-party dependencies.

The FS-specific CPGs (FS-SSGs) seek to provide a stepping stone for these entities and bridge the gap between financial sector industry practices that align with regulatory expectations as captured in the CRI Profile.

Instead of creating new requirements, the FS-SSGs acknowledge the importance of securing the financial services supply chain and unregulated entities, as key risk areas.

CRI is working to expand the FS-SSGs to further support sector third-party risk management activities – stay tuned!

Download File Profile FAQ

Supporting Documents

Financial Services Sector Specific Goals
Executive Summary

A brief description of the objectives and uses of the sector specific goals.

Download File →

Financial Services Sector Specific Goals
Microsoft Excel Version

The sector specific goals in Microsoft Excel format.

Download File →

Financial Services Sector Specific Goals
Microsoft Word Version

The sector specific goals in Microsoft Word format.

Download File →

icon close
Register to Start Download.
download

Please enter the following information

to access your free download.

icon close
Download Starting.
download

Thank you for your interest in the CRI Profile.

Your download should begin shortly.

Trusted Standards for Evolving Risks

Financial institutions need consistent, adaptable approaches to managing cybersecurity, technology, and AI risk. CRI develops trusted tools—including the Profile, Cloud Profile, Maturity Model, and FS AI RMF—to support effective risk management.

Join Now Learn More