The Cyber Assessment Framework is a high level framework developed by the National Cyber Security Center (NCSC), the UK's technical authority on cyber security. It represents an industry framework that is used by operators of essential services under the Network and Information Systems regulations as well as more widely across the private sector, including Critical National Infrastructure (CNI) sectors. Adopting the CAF ensures that government is assessing its cyber resilience in a consistent and comparable way to other organisations that operate the UK's essential services. This will also lead to a much greater central visibility of cyber capability, risk and resilience than is possible to gather currently and will allow for greater insights and targeted remediation activities where they are most required.
NCSC's CAF provides a systematic and comprehensive approach for assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible for them. The framework is comprised of core components, including 'objectives', 'principles', 'contributing outcomes' and 'indicators of good practice' (IGPs). The CAF is intended to be used both by the organisation itself (for self-assessment) and by the independent assessor during the assurance review .
The CAF is structured around four overall security objectives and 14 cyber security principles or outcomes:
Objective A: Managing security risk - Appropriate organisational structures, policies and processes are in place to understand, assess, and systemically manage security risks.
A1 Governance
A2 Risk management
A3 Asset management
A4 Supply chain
Objective B: Protecting against cyber attack - Proportionate security measures are in place to protect core government functions and critical systems from cyber attack.
B1 Services protection policies and processes
B2 Identity and access control
B3 Data security
B4 System security
B5 Resilient networks and systems
B6 Staff awareness
Objective C: Detecting cyber security events - Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect core government functions.
C1 Security monitoring
C2 Proactive security event discovery
Objective D: Minimising the impact of cyber security incidents - Appropriate organisational structures, policies and processes are in place to understand, assess and systemically manage security risks.
D1 Response and recovery planning
D2 Lessons learned
The objectives should be viewed as interdependent, for example, it is important to have a strong cyber governance and risk foundation, as well as understanding what to secure (Objective A) before being able to adequately implement measures to protect it (Objective B). The CAF should also contribute to performing continual security improvement activity through the detection of incidents and events contributing to lessons learned and the continual refinement of existing security measures.
Objectives A and D are generally considered “organisational” level objectives. Generally, it would be likely that answers from one assessment can be re-used to cover multiple critical systems. However, we do recognise that in larger organisations this level of agreement may not always apply and there may be different arrangements applicable to individual systems. For the most part, Objectives B and C are considered “system specific” and therefore each system is assessed independently.
Each of the four objectives and 14 outcomes are supported by a series of 39 contributing outcomes.
For example, in NCSC's CAF Data and System Security are important outcomes of Objective B - being two elements, among others, that contribute to the objective protecting against cyber attack
As an example, the contributing outcomes of 'understanding data' contributes to the outcome for 'B3: data security'.
This means the organisations should assess the security posture and demonstrate that they are using appropriate and proportionate security measures in relation to the contributing outcomes. It is not expected that an organisation will receive an 'achieved' status for every outcome, as this would likely be disproportionate to the risks faced by an OFFICIAL system and would lead to inefficient use of resources. This is where specific 'CAF Government Profiles' apply, as described below.
The CAF was designed to be sector-agnostic and as future-proof as possible. It was designed to support the principle of 'profiles', which define a target status for each contributing outcome ('not achieved', 'achieved', or for some contributing outcomes, 'partly achieved'), serving as an expected baseline or a target state to reach.
For the purposes of GovAssure, two profiles have been developed and agreed by Government Security Group (GSG), NCSC and Central Digital and Data Office (CDDO). Please note that access to the two GovAssure CAF profiles is only available via signed in access to security.gov.uk.
These were developed by modelling the most likely impactful government organisation attacks against the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ®) framework and determining the indicators of good practice within the outcomes of CAF that would mitigate the attack. The CAF Government profiles are as follows:
Baseline profile: This profile will be the minimum baseline standard for all organisations. All organisations will need to be assessed against at least the Baseline profile. An attack on a system under the Baseline profile might be detected and remediated at a later point in the attack chain, and the organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity.
Enhanced profile: For systems and organisations that face a higher threat, they will need to consider using the Enhanced CAF profile. High threat drivers could include organisations hosting government CNI, Personally Identifiable Information (PII) datasets, those with wider dispersed geography and those performing national security functions. The Enhanced profile does not represent a higher classification tier or change the threat model of OFFICIAL information. Above all it does not assume that an OFFICIAL system can or should be entirely impenetrable to an advanced state adversary.
NCSC developed IGPs to help organisations assess their cyber security practices against the contributing outcomes. These are not intended to remove the use of cyber security expertise and organisation knowledge and are not designed to be used as a 'tick-list'. They are designed to provide a good starting point for discussions and can help to 'workshop' conversations around the achievement of the overall contributing outcomes and should be used in conjunction with NCSC and Government guidance.
The IGPs are not intended to be exhaustive, and organisations may implement additional good practice or compensating controls which would otherwise return an "Achieved" or "Partially Achieved" Contributing Outcome.
Where alternate good practice is implemented, this must be appropriately evidenced, and the assurance reviewers must consider this as part of their review.
Organisations will be required to demonstrate how they meet each Contributing Outcome and the stated IGPs by providing statements and evidence.
The GovAssure process will result in 39 individual self-assessed judgements on contributing outcomes reflecting the circumstances of the system and wider organisation.
Each outcome is associated with a set of IGPs which are broken down into the following three categories with an explanation of how they should be interpreted, and it is recommended that these are worked through from top to bottom:
Not achieved: The 'not achieved' column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of 'not achieved' at the contributing outcome level.
Partially achieved: When present, the 'partially achieved' column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. Assessing at 'partially achieved' should represent more than giving credit for doing something vaguely relevant.
Achieved: The 'achieved' column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of 'achieved' at the contributing outcome level.
OFFICIAL