Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Introduction to the CAF

Introduction to the Cyber Assessment Framework (CAF)

Why adopt the CAF?

The Cyber Assessment Framework is a high level framework developed by the National Cyber Security Center (NCSC), the UK's technical authority on cyber security. It represents an industry framework that is used by operators of essential services under the Network and Information Systems regulations as well as more widely across the private sector, including Critical National Infrastructure (CNI) sectors. Adopting the CAF ensures that government is assessing its cyber resilience in a consistent and comparable way to other organisations that operate the UK's essential services. This will also lead to a much greater central visibility of cyber capability, risk and resilience than is possible to gather currently and will allow for greater insights and targeted remediation activities where they are most required.

What is the CAF?

NCSC's CAF provides a systematic and comprehensive approach for assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible for them. The framework is comprised of core components, including 'objectives', 'principles', 'contributing outcomes' and 'indicators of good practice' (IGPs). The CAF is intended to be used both by the organisation itself (for self-assessment) and by the independent assessor during the assurance review .

The CAF explained

The CAF is structured around four overall security objectives and 14 cyber security principles or outcomes:

Objective A: Managing security risk - Appropriate organisational structures, policies and processes are in place to understand, assess, and systemically manage security risks.


Objective B: Protecting against cyber attack - Proportionate security measures are in place to protect core government functions and critical systems from cyber attack.


Objective C: Detecting cyber security events - Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect core government functions.


Objective D: Minimising the impact of cyber security incidents - Appropriate organisational structures, policies and processes are in place to understand, assess and systemically manage security risks.


The objectives should be viewed as interdependent, for example, it is important to have a strong cyber governance and risk foundation, as well as understanding what to secure (Objective A) before being able to adequately implement measures to protect it (Objective B). The CAF should also contribute to performing continual security improvement activity through the detection of incidents and events contributing to lessons learned and the continual refinement of existing security measures.

Objectives A and D are generally considered “organisational” level objectives. Generally, it would be likely that answers from one assessment can be re-used to cover multiple critical systems. However, we do recognise that in larger organisations this level of agreement may not always apply and there may be different arrangements applicable to individual systems. For the most part, Objectives B and C are considered “system specific” and therefore each system is assessed independently.

Contributing outcomes

Each of the four objectives and 14 outcomes are supported by a series of 39 contributing outcomes.

An outcome is a high-level security principle that contributes to GovAssure compliance.

For example, in NCSC's CAF Data and System Security are important outcomes of Objective B - being two elements, among others, that contribute to the objective protecting against cyber attack

A contributing outcome supports the achievement of security outcomes and represents specific requirements to mitigate cyber risks faced by government organisations.

As an example, the contributing outcomes of 'understanding data' contributes to the outcome for 'B3: data security'.

Contributing outcomes can be assessed as 'not achieved', 'achieved', or for some contributing outcomes, 'partly achieved'.

This means the organisations should assess the security posture and demonstrate that they are using appropriate and proportionate security measures in relation to the contributing outcomes. It is not expected that an organisation will receive an 'achieved' status for every outcome, as this would likely be disproportionate to the risks faced by an OFFICIAL system and would lead to inefficient use of resources. This is where specific 'CAF Government Profiles' apply, as described below.

Government CAF profiles

The CAF was designed to be sector-agnostic and as future-proof as possible. It was designed to support the principle of 'profiles', which define a target status for each contributing outcome ('not achieved', 'achieved', or for some contributing outcomes, 'partly achieved'), serving as an expected baseline or a target state to reach.

For the purposes of GovAssure, two profiles have been developed and agreed by Government Security Group (GSG), NCSC and Central Digital and Data Office (CDDO). Please note that access to the two GovAssure CAF profiles is only available via signed in access to

These were developed by modelling the most likely impactful government organisation attacks against the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ®) framework and determining the indicators of good practice within the outcomes of CAF that would mitigate the attack. The CAF Government profiles are as follows:

Indicators of Good Practice (IGPs)

NCSC developed IGPs to help organisations assess their cyber security practices against the contributing outcomes. These are not intended to remove the use of cyber security expertise and organisation knowledge and are not designed to be used as a 'tick-list'. They are designed to provide a good starting point for discussions and can help to 'workshop' conversations around the achievement of the overall contributing outcomes and should be used in conjunction with NCSC and Government guidance.

The IGPs are not intended to be exhaustive, and organisations may implement additional good practice or compensating controls which would otherwise return an "Achieved" or "Partially Achieved" Contributing Outcome.

Where alternate good practice is implemented, this must be appropriately evidenced, and the assurance reviewers must consider this as part of their review.

Organisations will be required to demonstrate how they meet each Contributing Outcome and the stated IGPs by providing statements and evidence.

The GovAssure process will result in 39 individual self-assessed judgements on contributing outcomes reflecting the circumstances of the system and wider organisation.

Each outcome is associated with a set of IGPs which are broken down into the following three categories with an explanation of how they should be interpreted, and it is recommended that these are worked through from top to bottom:

  1. Not achieved: The 'not achieved' column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of 'not achieved' at the contributing outcome level.

  2. Partially achieved: When present, the 'partially achieved' column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. Assessing at 'partially achieved' should represent more than giving credit for doing something vaguely relevant.

  3. Achieved: The 'achieved' column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of 'achieved' at the contributing outcome level.