Which CAF profile should I use?

Where to document the output of this step: GovAssure Scoping Document (Stage 2 – Part B: Identifying the in-scope critical systems for GovAssure)

Resource material: CAF profiles

Introduction to the CAF profiles

After identifying system boundaries, an organisation will decide which target Government CAF profile the system will be assessed against – either the Baseline or Enhanced profile. GovAssure currently only applies to systems carrying a maximum classification of OFFICIAL information.

The CAF was designed to be sector-agnostic and as future-proof as possible as cyber risks continue to evolve. So, the use of the CAF profiles allows the CAF to remain in-line with evolving threats. It was designed to support the principle of ‘profiles’, which define a target status for each contributing outcome (‘not achieved’, ‘achieved’, or for some contributing outcomes, ‘partly achieved’), serving as an expected baseline or a target achievement state to reach.

For the purposes of GovAssure, two profiles have been developed and agreed by GSG, NCSC and the Central Digital and Data Office (CDDO) and are designed to meet the objective of the Government Cyber Strategy to make Government services resilient to known threats and vulnerabilities. These profiles are as follows:

Baseline

This profile will be the minimum baseline standard for all organisations. All organisations will need to be assessed against the Baseline profile. An attack on a system under the Baseline profile might be detected and remediated at a later point in the attack chain. The organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity.

Enhanced

For systems and organisations that face a higher threat, they will need to consider using the Enhanced CAF profile. High threat drivers could include organisation’s hosting Government CNI, PII datasets, those with wider dispersed geography and those performing national security functions. The Enhanced profile does not represent a higher classification tier or change the threat profile of official information. Above all it does not assume that an official system can or should be entirely impenetrable to an advanced state adversary.

How to assign the CAF Government profiles and factors that may affect its application

Once the organisation has identified the critical systems in scope for GovAssure, they are responsible for determining and assigning the Baseline or Enhanced profile to each systems (requires signing in), on a system-basis. By default, and for most systems, the Baseline profile is most commonly applied, but the Enhanced profile should be automatically applied to government CNI systems and where there may be factors that make the system a higher threat target for attack. A small minority of organisations may consider their whole organisation to fall under the Enhanced profile by default with some baseline exceptions. Organisations may have already performed the Criticalities analysis for CNI.

This selection of CAF profile should be determined in the first instance by the service and system owner and include consideration to the GovAssure Scoping Document as follows:

• Review the context of the organisation itself based on the information identified as part of the scoping exercise and included within the GovAssure Scoping Document (Stage 1 – Part A: Organisational Mission, Objectives and Priorities)
• Determining how significant to the delivery of the overall mission the critical system is
• Think about whether the critical system has characteristics that differentiate it from other systems and may increase the threat profile, making the critical system an even more attractive target for attackers (when compared to other critical systems that would typically fall in under the Baseline profile).
• Consider the risk appetite around adversary activity in the system and how far your operations could tolerate it.

Deciding when to apply the Enhanced Profile

Given the diversity of systems within government, a guide has been produced which should not be considered exhaustive, but provides a roadmap to determining where the Enhanced profile may be appropriate. Examples of factors are shown on the next page.

Ultimately, the risk owner for the business output and the CISO (or equivalent role) should take a view on their risk tolerance to compromise in the system and whether it justifies the more comprehensive controls under the Enhanced profile.

Step 1. Use the Scoping document to identify critical systems

Step 2. Check, has your organisation performed the CNI Criticalities process?

Step 3a. If yes to 2. All Systems declared government CNI are in scope. Other systems reviewed under the process may still be candidates for the enhanced profile and should be considered on their merits and dependencies in this process

Step 3b. If no to 2. the organisation should separately be priorities completing a criticalities process and this should be flagged internally.

Step 4. Systems should be assigned target CAF Profile considering impact, intent and opportunity

Step 5. Considerations:

Consideration 1. Risk Owner Tolerance

Where risks owners have a particularly low tolerance to activities impacting their systems. Examples:

• Loss of service creates risk to life, serious loss of public faith in government, serious economic risk, or impact to national security (system should be flagged with GSG for review with CNI team at this stage before progressing further).

• High availability requirements – the isolation of system or downtime would create serious risk through a lack of redundancy in process, or where backup data and services are a resilience measure of absolute last resort.

Consideration 2. Adversary Intent

Where specific factors relation to the system make it more of an attractive target for adversaries Examples:

• System contains highly desirable data which will justify more persistent attempts for access:
• Large PII data sets, any data set with visible sensitive identity data (vulnerable or protected individuals)
• Information relating to national security matters
• High value or important sovereign intellectual property (for example S+T, defence, nuclear, finance, national economy)
• Intent is evidenced by previous attacks or identified persistent attempts to access (over and above e.g. routine external scanning).

Consideration 3. Heightened exposure threat

Where there is an opportunity for deliberate or opportunities adversary activities,or where exposure increases likelihood of harm through unintended consequences from wider activity. Examples:

• System has levels of exposure which make it harder to mitigate access opportunities
• Infrastructure operates in more permissive international geographic areas, particularly those where UK presence may be targeted
• Infrastructure has exposure through mixed physical access (for example, infrastructure in areas with public access, or a large publicly interactive threat surface which cannot be segregated from onward networked access to valuable or high-risk assets).

Step 6. CISO (Or Equivalent) takes a view of all the systems in scope to determine any cases where the organisation may plan to assign the Enhanced profile

Step 7. Discuss and agree final profile allocation with GSG

An internal consultation should take place between a combination of service and systems owners in the first instance. The justification for considering applying the Enhanced profile should be documented in the GovAssure Scoping Document. The CISO or equivalent should provide independent challenge as to the holistic critical system landscape and whether they agree with the potential assignment of the Enhanced profile, and take a view across all the systems in scope.

Where an organisation comes to this conclusion (excluding CNI systems), they should consult with GSG to determine the factors leading to this decision. Any application will be based on the conditions of the specific system and relevant level of threat.

Documenting the results in the GovAssure Scoping Document

You should document the result of 2.4 in the GovAssure Scoping Document, Stage 2 - Part B: Identifying the in-scope critical systems for GovAssure in the section marked Applying the target Baseline or Enhanced Profile

Next Steps

By completing Stage 2 you will have developed an understanding of the critical systems that underpin the essential services (Stage 2 – Part A) and will have a prioritised and approved list of the critical systems you intend to take forward to the CAF self-assessment (Stage 3). You will also understand the Government CAF target profiles for each system that you intend to assess them against (Stage 2 – Part B). This will ensure that the appropriate level of assurance and controls are applied for each in-scope system.

You will then be in a position to discuss and agree the GovAssure Scoping Document with GSG.

Outcomes

As an organisation you have:

1. Completed the GovAssure Scoping Document for the organisation – Stage 2 – Part A and Part B and developed an in-depth view of Critical Systems, their components and dependencies.
2. Allocated a target CAF profile for them to be assessed against as part of the Stage 3 CAF self-assessment.
3. A clear articulation of the intended scope for GovAssure to discuss and agree with GSG.
4. A clear articulation of the intended scope for the CAF self-assessment, so that you’re in a position to plan ahead for the independent assurance review and help to begin commercial engagement.
5. The ability to articulate Lenses 3-5 of the Five Lens model (for your in-scope systems).
6. An agreed methodology for understanding the relative importance/prioritisation of the Critical Systems you’ve shortlisted for scoping consideration.
7. Agreement of the GovAssure Scoping Document by the GovAssure Accountable Officer.
8. Issued wider communications regarding GovAssure within the organisation to help drive support and engagement, particularly among system owners.

Back to Stage 2   Move on to Stage 3