The following provides a series of suggested steps for cyber teams and system owners to take in approaching the self-assessment:
The GovAssure Scoping Document should be shared with all important stakeholders to ensure awareness of the essential services, in-scope systems, and CAF Government Profiles assigned to them for GovAssure
A good understanding of the CAF is required by all stakeholders before completing the CAF self-assessment. If individuals are not familiar with the CAF, it may seem complex. Therefore, it is important to make sure that system owners have a good understanding of the CAF’s structure and how it should be interpreted. We advise that teams discuss and describe the high-level CAF principle before focusing on the contributing outcome and indicators of good practice. A WebCAF Organisation Lead will need to be defined for your organisation and they will be responsible for configuring access and permissions.
The GovAssure Pilot showed that it helps to develop a plan for the delivery of the self-assessment and schedule timeframes for the completion of the self-assessment to enable monitoring of progress and support the scheduling of the independent assurance review.
Understanding your Cyber and IT Operating Model and combining this with a view of the CAF in terms of expected roles and input through each objective, principle and contributing outcome is essential to being able to complete the CAF self-assessment most efficiently by sharing the division of responsibilities.
It is important to understand this first to identify any gaps in information or responsibility. System owners are usually important stakeholders, and their input and engagement are considered essential. Raising awareness around GovAssure and the CAF amongst system owners, appropriate individuals and teams as early as possible will support those involved in the completion of the CAF self-assessment.
Completion of the CAF self-assessment will call upon multiple individuals. The organisation should obtain an early view of who within the organisation will be required to input to the self-assessment to communicate expectations for their input and timescales.
WebCAF supports many roles and responsibilities to allow for joint working but with customisable permissions to restrict access to individual system assessments as required. WebCAF also allows the ability to edit or gain a ‘read only’ view.
There are three categories of user profiles, and they are organised as follows:
Organisation cyber teams should conduct workshops of responses at a contributing outcome level to obtain an initial view of what a response might look like. This is a good opportunity to confirm who will respond to that contributing outcome as some contributing outcomes can be completed at an enterprise level, by an organisation’s cyber security team, whereas other contributing outcomes can be completed at a system level by individual system owners or teams.
You may also find that information relating to some IGPs may be held by an individual or team that is not the system owner. This needs to be identified before the formal self-assessment commences so that the relevant team and system owner are aware of which parts of the self-assessment they are contributing to. When you workshop the contributing outcomes, it is important to be mindful of the Target Government CAF Profile to understand what the expectations are for achievement of the contributing outcomes and what you will be assessed against - “not achieved,” “achieved” or in some cases “partially achieved”. This will focus on the relevant level for your organisation and avoid wasted effort. It is important to consider what evidence you will provide against each IGP so you may use this workshop to construct an initial response and identify what evidence should be referenced.
Organisations should complete ‘Objective A’ of the CAF first and advise GSG when this has been completed.
Organisations should consider beginning to collate evidence before progressing to populating WebCAF and think about organising this logically by objective, principle, contributing outcome and at the IGP level. You should ensure that evidence is collated and referenced in an appropriate and accessible way for the independent reviewer, for example creating a shared folder structure. The collated evidence pack allows the reviewer to test whether the contributing outcomes are being met.
We recommend that your organisation schedules regular updates with individuals who have been identified as key stakeholders involved in completing the self-assessment. This is to ensure that progress remains on track and that any questions or issues can be escalated and resolved.
It is recommended that throughout the completion of the self-assessment, there are regular reviews as to the quality of the narrative and evidence being provided to ensure that any issues are identified and resolved in good time before submission and independent review at Stage Four.
It is recommended that you define and agree an internal process for your organisation that provides appropriate senior visibility, quality assurance and approval to submit the self-assessment via WebCAF. As a minimum requirement, sign off and submission of the final self-assessment should be agreed between the GovAssure accountable officer and the GovAssure coordination lead.
OFFICIAL