WebCAF is the secure security.gov.uk hosted web portal solution that organisations will use to record and submit their CAF self-assessment. Third-party reviewers will review organisations self-assessments via WebCAF. WebCAF has been designed to clearly and logically present each contributing outcome and the ability to include a high-level statement at the contributing outcome level and the corresponding grouped indicators of good practice with a drop-down as to whether the statement applies using a yes, no, or not applicable selection. The IGP statements support the overarching contributing outcomes.
Assessors and other reviewers will use this information to understand what the organisation is doing well at the contributing outcome and IGP level, as well as where improvements can be made. WebCAF access is determined by organisations and allows for multi-authoring across different roles and privileges within the organisation and across self-assessments. Restricted access is enabled to maintain access on an ‘as needed’ basis. If you are familiar with NCSC’s CAF, you may find that the presentation used and some of the wording is different in WebCAF, but the principles, interpretation and application of the CAF remain the same. In terms of presentation, some IGPs have been grouped to make it easier to comment against similar indicators.
WebCAF supports a number of different roles and responsibilities to allow for collaborative working but with customisable permission to restrict access to individual system assessments as required as well as the ability to edit or gain a ‘read only’ view. A WebCAF Organisation Lead will need to be nominated for your organisation and they will be responsible for configuring access for your organisation and configuring permissions.
There are three categories of user profiles, and they are organised as follows:
Organisation level users – these users are able access the full view of the organisation including all systems and related assessments:
System level users – these users can only access the systems and related assessments to which they are granted access:
Assessors – these are the independent assurance reviewers, and they can access the assessments to which your organisation grants access.
Once logged into WebCAF you will be presented with the dashboard. Click on the assessment button to take you to the assessment view where you can see all the current assessments for your organisation. Click on the assessment that you wish to start and you will then be presented with the four CAF objectives (Objective A - Managing Security Risk, Objective B - Protecting against cyber attack, Objective C - Detecting cyber security events, Objective D- Minimising the impact of cyber security incidents). You can expand each objective to view the Contributing Outcomes which have been grouped by their relevant principle and progress against this. It will also show the government CAF profile which the system is being assessed against. Click on the Contributing Outcome to be taken to the next screen which will provide the Contributing Outcome narritive followed by the overall acheievement rating and a comments box.
Organisations should consider in turn each contributing outcome statement in WebCAF and compare the contributing outcome statement with the organisation’s current practices. This will help to develop an initial view of current practices at the contributing outcome level. This could be achieved by key individuals providing initial commentary on the practices that support the contributing outcome. Alternatively, ‘workshopping’ the contributing outcomes to provide a ‘first pass’ high level response that you can then challenge and refine as you work through the supporting indicators of good practice (IGP). Once you have worked through these, we recommend revisiting the overall contributing outcome narrative to provide a summary reflective of the individual IGP grouping statement narrative that you will complete in the section below on WebCAF.
For each individual Stage 3 IGP statement within each group, you are required to:
For the IGP Group as a whole, you are required to: - Provide supporting narrative within the ‘organisation comments’ box at the IGP grouping level. Where you have selected, ‘Not applicable’ it is important to be able to justify this conclusion with some supporting narrative – for example that process does not apply to your environment, or you have a different control.
In each IGP group there is a drop down to 'View, add or remove linkes to supporting evidence'. This is where you can references the supporting evidence for the statements made against the IGPs.
The following is a worked example to demonstrate how to interpret the IGP summary table in webCAF which is located on the contributing outcome page between the contributing outcome comments and IGP Groupings. The worked example looks at the IGP Summary for B3.a and the result is “partially achieved”. Below is how the conclusion was reached:
A number of ‘Save Progress’ buttons exist throughout the assessment detail, and we recommend that you regularly save to ensure work is not lost. When you have worked through all the IGP groups supporting a contributing outcome and are happy with the content, you can click the ‘Save and go to assessment summary’ button.
For some principles, we have included additional mandatory completion supplementary questions to provide additional data to understand cross government security needs. These are questions with answers to be selected from dropdowns, with some including additional free text fields supporting narrative is required. These will help to drive out important data to better understand key cyber security aspects.
You can find the WebCAF Privacy Notice here.
You can find the WebCAF Data Usage Policy here.