OCC Cybersecurity Supervision Work Program (CSWP)
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
The OCC Cybersecurity Supervision Work Program (CSWP) is a supervisory framework that guides the assessment of cybersecurity risk management and controls within financial institutions supervised by the Office of the Comptroller of the Currency (OCC). It establishes structured procedures for evaluating how banks safeguard information systems and protect sensitive data against evolving cyber threats.
Developed and maintained by the OCC, the CSWP is used by examiners to assess the effectiveness of a bank's cybersecurity strategies, risk management practices, incident response capabilities, and governance structures. The program covers areas such as access controls, vulnerability management, third-party risk, data protection, and compliance oversight.
Financial institutions prepare for OCC cybersecurity examinations by mapping their internal controls and risk management programs to the CSWP's requirements. The framework supports ongoing monitoring, enables timely identification of control gaps, and reinforces integration with broader regulatory compliance efforts.
Why it Matters
The OCC Cybersecurity Supervision Work Program (CSWP) enables financial institutions to proactively address cybersecurity risks and meet evolving regulatory expectations.
Key benefits include:
Support effective cybersecurity oversight
Facilitates systematic assessment and monitoring of risk management practices across critical banking functions and infrastructure.
Enhance regulatory compliance
Aligns internal controls with OCC requirements, ensuring institutions are prepared for examinations and regulatory scrutiny.
Strengthen incident response readiness
Promotes development and validation of robust detection, response, and recovery capabilities against emerging threats.
Reduce third-party risk exposure
Requires evaluation of vendor management practices to mitigate vulnerabilities stemming from relationships with external service providers.
Improve protection of sensitive data
Drives implementation of controls to safeguard customer information and prevent unauthorized access or data breaches.
How it Works
The OCC Cybersecurity Supervision Work Program (CSWP) structures its guidance into a set of governance domains and control objectives specific to financial institutions. The framework outlines key areas such as risk management, governance, asset protection, incident response, and third-party oversight.
Financial institutions implement the CSWP by assessing their cybersecurity posture against the outlined objectives and domains. Typical activities include evaluating existing security controls, conducting risk assessments, mapping controls to organizational policies, and documenting compliance with OCC guidance.
Key Elements
Cyber Risk Governance Structure
Establishes oversight responsibilities, policies, and management roles for cybersecurity within the financial institution's organizational hierarchy.
Information Security Control Areas
Defines categories of technical and administrative safeguards, including authentication, access controls, and data confidentiality measures.
Vulnerability and Threat Management Processes
Describes systematic procedures for identifying, assessing, and remediating system vulnerabilities and emerging cyber threats.
Incident Response and Recovery Planning
Outlines protocols for detecting, reporting, containing, and recovering from security incidents and cyberattacks.
Third-Party and Vendor Risk Oversight
Specifies requirements for evaluating and monitoring cybersecurity controls applied to external service providers and partnerships.
Ongoing Monitoring Mechanisms
Provides structures for continual assessment of cybersecurity program effectiveness and regulatory compliance alignment.
Framework Scope
The OCC Cybersecurity Supervision Work Program (CSWP) is adopted by financial institutions regulated by the Office of the Comptroller of the Currency. It governs the security and resilience of information systems, data protection measures, and third-party risk management.
Framework Objectives
The OCC Cybersecurity Supervision Work Program (CSWP) provides a framework for assessing cybersecurity risk management and regulatory compliance in financial institutions.
Strengthen cybersecurity governance across bank operations and decision-making structures
Enhance risk management practices to identify and mitigate emerging cyber threats
Support compliance with OCC regulations and industry cybersecurity standards
Improve the protection of sensitive customer and institutional data assets
Enable ongoing monitoring and timely identification of security control gaps
Promote operational resilience through robust incident response and recovery capabilities
Common Framework Mappings
Mapped frameworks include:
Digital Operational Resilience Act (DORA)
FFIEC Cybersecurity Assessment Tool
FFIEC IT Examination Handbook --- Information Security
Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
ISO/IEC 27001
NIST Cybersecurity Framework
NIST SP 800-53
SOC 2 (AICPA Trust Services Criteria)
- ClassicifationCategoryCybersecurityDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeGuidanceLegal InstrumentProgramSectorFinancial SectorIndustryFinancial Services
- Region / PublisherRegionNorth AmericaRegion DetailUnited StatesPublisherOffice of the Comptroller of the Currency (OCC)
- VersioningVersionCurrent OCC Cybersecurity Supervision Work ProgramEffective Date2022Issue Date2017
- AdoptionAdoption ModelRegulatory ComplianceImplementation ComplexityHigh
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
The OCC Cybersecurity Supervision Work Program is publicly available through the U.S. Office of the Comptroller of the Currency.
How SmartSuite Supports OCC CSWP
Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.
Exam Expectation Mapping
Map CSWP focus areas to controls, owners, and evidence sources.
Risk Assessments and Governance Reporting
Track cyber risk assessments and maintain leadership reporting artifacts.
Vendor Inventory and Contingency Planning
Manage vendor inventories, monitoring, and contingency planning evidence.
Control Testing and Assurance Cadence
Schedule testing, capture results, and manage remediation through closure.
Incident and Resilience Workflows
Run incident response and resilience exercises with documented outcomes.
Posture and Remediation Reporting
Report posture, gaps, evidence coverage, and remediation status.
Related frameworks
The FFIEC Cybersecurity Assessment Tool helps U.S. financial institutions assess cybersecurity preparedness and manage cyber risk.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
MITRE ATT&CK is a knowledge framework documenting adversary tactics and techniques to help organizations detect, analyze, and respond to attacks.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.
Frequently Asked Questions For OCC Cybersecurity Supervision Work Program (CSWP)
The CSWP is used by the Office of the Comptroller of the Currency (OCC) to assess how effectively financial institutions manage cybersecurity risks and protect information systems. It provides examiners with structured procedures to evaluate controls over sensitive data, system access, risk management, and incident response.
Yes, for OCC-regulated financial institutions, adherence to the CSWP serves as a critical component of regulatory examinations. While not a certifiable standard, it is a supervisory expectation; failure to align with CSWP requirements may result in findings or regulatory action.
The CSWP applies to national banks, federal savings associations, and federal branches regulated by the OCC. Its scope covers institution-wide cybersecurity governance, technology infrastructure, third-party risk, incident management, and ongoing resilience.
The CSWP emphasizes access controls, vulnerability management, third-party risk procedures, incident response plans, and documented governance structures. Institutions are expected to maintain evidence of risk assessments, control testing, policy adherence, and remediation actions.
Implementation involves mapping existing controls to the CSWP’s control areas, conducting periodic risk assessments, performing internal testing, and documenting findings. Institutions should integrate remediation efforts into governance reporting and update policies to address identified gaps.
The CSWP aligns with regulatory expectations and industry standards, including the FFIEC Cybersecurity Assessment Tool and NIST frameworks. Utilizing CSWP helps institutions demonstrate alignment with broader compliance requirements and recognized best practices.
Ongoing compliance with the CSWP requires continuous control monitoring, timely remediation of identified weaknesses, regular risk reviews, and transparent reporting to senior management and examiners. Periodic updates to risk assessments and incident response capabilities are essential.
SmartSuite enables financial institutions to manage CSWP requirements through centralized control libraries, risk registers, and policy governance. It facilitates automated evidence collection, configurable remediation workflows, and compliance tracking, supporting audit readiness and transparent reporting for OCC examinations.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.