<img height="1" width="1" style="display: none" alt="" src="https://px.ads.linkedin.com/collect/?pid=1098858&amp;fmt=gif">
FFIEC EVIDENCE PACK

Close your software recovery gap before an FFIEC examiner finds it.

Your DR plan covers the systems you own — not the software a vendor controls. Codekeeper verifies that your vendor's code rebuilds and runs, then lays out the evidence for examiners.

An FFIEC evidence pack maps recovery proof to the specific NIST CSF 2.0 functions and the IT Handbook booklets that examiners reference.
Tested recovery proof — not a vendor list.
An FFIEC exam is risk-based — examiners zero in on the critical third-party systems you rely on most and ask if you can recover each one. Codekeeper documents recovery tests and uses the results as NIST CSF 2.0 Recover evidence.
solutions-ffiec FFIEC
badge-nis2 NIS2
solutions_badge_dora DORA
badge-iso-27001-v2 ISO 27001
badge-soc2 SOC 2
One evidence pack, recognized by every framework that wants to know if you can recover critical external software.
The old way

Your compliance evidence is built for a retired tool.

If you built your FFIEC evidence around the CAT last year, the discontinuation made it irrelevant. Even if you have concrete proof, it doesn't line up with the new functions examiners reference now.

Format is the gap. An examiner reads NIST CSF 2.0 and the IT Handbook booklets. Evidence outside that framing is something they can't credit.

Evidence built on the CAT
CAT self-assessment PDF
Signed · 14 Mar 2024
Not tested
Filed once, never rebuilt — so no one knows if it actually recovers.
A team reviewing recovery and continuity plans together at a desk
Why we built it

The evidence system that ends the annual compliance rebuild.

Every exam cycle, you re-map the same recovery work by hand to whatever framing the examiner names — slow, fragile, never quite aligned. Our evidence pack ends that: the mapping is done for you and kept current, so the proof is ready ahead of every exam.
10+
securing mission-critical and regulated software
3 500+
companies protected
ISO 27001
certified
24 hrs
to go live

The NIST CSF 2.0 Recover evidence your self-assessment is missing.

Each capability below closes a gap your old evidence leaves open. Together, they make up the tested recovery proof the Recover function needs.

Recover-function mapping

Every recovery test is tied to the CSF 2.0 Recover function, so your self-assessment has the evidence behind the claim.

IT Handbook booklet references

Each record points to the Business Continuity Management and Information Security booklets that examiners work from.

Tested-rebuild proof

The software is rebuilt from its deposit and confirmed to run, so you show recovery instead of asserting it.

One examiner-ready document

You hand over a single pack that covers third-party software continuity, assembled before the exam reaches it.

Proof that connects

Each test links to the risk and control it covers, so the examiner can follow the trail from risk to control to test.

A Software Resilience Certificate

You receive a dated, signed record stating recovery was confirmed.

How it works

Get your NIST CSF 2.0 Recover evidence examiner-ready in three easy steps.

In review
AC
Acme Corp Depositor
BL
Beneficiary Ltd Beneficiary
AgreementTripartite escrow
Last deposit2 days ago
Active
NV
Northwind Depositor
FB
FinBank Beneficiary
AgreementSaaS escrow
Last depositToday

1. You name the critical software.

List the vendor systems your operations depend on, and connect Codekeeper to the repositories and platforms they live in.

Deposits
3 active · last verified today
Software Resilience Certificate
Software Resilience
Certificate
Passed

2. We run tests and record the results.

We rebuild each system, confirm it runs, and tie the results to the NIST CSF 2.0 Recover function and relevant IT Handbook booklets.

Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified

3. You hand the examiner one pack.

The proof arrives in the framing they reference, assembled and current ahead of your next exam.

Set up in a day. From there, the pack stays current on its own — ready for every exam cycle.

Book a demo

These companies’ systems are protected, compliant, and resilient.

They made the decision. They built their resilience. They have peace of mind. You can too.
icon-google
icon-g2
“We’ve had a great experience with CodeKeeper. The setup process was smooth, and the team made everything very straightforward. Knowing our critical software assets are securely protected gives us real peace of mind. Their support has been responsive and professional, and the overall service has been reliable and easy to work with. Highly recommended.”
testimonial-circle-j

Jordan Adler

“We worked with Codekeeper as our escrow provider for major enterprise deployments and found them to be extremely professional, responsive, and flexible throughout.
I'd highly recommend Codekeeper. They clearly understand the realities of working with growing tech businesses and enterprise customers alike.”
testimonial-circle-r

Ross Kilshaw

I found Codekeeper's solution excellent for what I need. I scheduled a demo to better understand the possibilities. Very easy! It was a clear and straightforward meeting, focused exactly on what I needed. Excellent service!
testimonial-circle-t

Thiago Mendes

Airbus partner logo in muted style
Bayer partner logo in muted style
EU Parliament partner logo in muted style
General Motors partner logo in muted style
Intuit partner logo in muted style
Nestle partner logo in muted style
Pepsico partner logo in muted style
Pfizer partner logo in muted style
Framework mapping

Repurpose the same proof that clears FFIEC for all your frameworks.

The tested record behind your NIST CSF 2.0 Recover evidence is the same proof your other frameworks call for. Run the recovery test once, and reuse it everywhere you’re held to a continuity standard.
solutions-ffiec
FFIEC — NIST CSF 2.0 Tested proof for Recover function and IT Handbook booklets.
badge-iso-27001-v2
ISO 27001 — A.5.30 ICT readiness for business continuity.
badge-soc2
SOC 2 — CC9 Subservice organization and vendor continuity evidence.
solutions-dora
DORA — Art. 28 / Arts. 24–25 ICT third-party exit and continuity testing.
badge-nis2
NIS2 — Art. 21(2)(c) Business continuity, backup, and disaster recovery.
What's at stake

An untested recovery plan is the gap examiners are trained to spot.

Without it (just a deposit)

  • Unconfirmed Recover evidence becomes a finding — then a Matter Requiring Attention: a remediation plan, a deadline, a mandatory fix.
  • Fail the next cycle, and it’s a repeat finding — risking a downgraded rating, an MOU, or a consent order.
MRA  a Matter Requiring Attention isn't filed and forgotten. It goes to your board, and stays open and tracked across exams until you can prove recovery works.

With the evidence pack

  • The recovery review closes on the first pass — the finding never opens.
  • Testing runs every year, so the proof is current for the next exam.
  • The same tested record also answers NIS2, ISO 27001, and SOC 2.
Sample pack

Page through a real FFIEC evidence pack.

Inside: the recovery records and the CSF 2.0 mapping, laid out exactly the way an examiner receives them. It's the fastest way to see what real recovery proof looks like.
Recovery test · summary
Article 28 mapping
Certified tier seal
Codekeeper Software Resilience Certificate
ProviderAcme Cloud Ltd
TierCertified
Recovery testPassed · 14 Jun 2026
Valid to14 Jun 2027
Authorized · Codekeeper
Verified
Get the sample FFIEC evidence pack

We’ll email the sample FFIEC evidence pack to you.

Make your next recovery review a formality.

FFIEC exams run on a schedule, so the day an examiner tests your third-party recovery is waiting for you. Delay too long, and there won't be time left to test. Codekeeper's FFIEC evidence pack hands you the evidence you need, on a recurring cycle, to pass every exam, every time.

Frequently asked questions

What is the FFIEC evidence pack?
It's Codekeeper’s recovery-test and deposit records, mapped to NIST CSF 2.0 and the FFIEC IT Examination Handbook booklets, so financial institutions can prove their third-party software continuity to examiners.
How often does the recovery test need to be redone?
For critical third-party services, FFIEC guidance expects recovery to be tested at least annually — more often if your risk assessment or a significant change calls for it. And a test only proves recovery as of the day it ran. Vendors ship new versions constantly, so a result from last year may no longer reflect the software you actually depend on. Codekeeper reruns the build-and-run test on a schedule you set, and keeps the deposit current with daily syncs, so the evidence stays true to the software as it runs today.
Does FFIEC still use the Cybersecurity Assessment Tool (CAT)?
No. The FFIEC retired the CAT on August 31, 2025, and points institutions to resources such as NIST CSF 2.0 alongside the IT Handbook booklets. The pack is built to the current framing.
How is this different from a software escrow deposit?
A deposit is storage. The pack proves the deposit was tested for recovery and maps that proof to the framing examiners reference. 90% of untested deposits fail when triggered, so the pack is the proof yours will not.
Which FFIEC requirements does this cover?
Third-party software risk oversight, mapped to the Business Continuity Management and Information Security booklets and the NIST CSF 2.0 Recover function.
How do I get the FFIEC evidence pack?
Book a demo, and we'll map your in-scope systems, or download the sample pack to see the format first.