Skip to main content

This is a new service – your feedback will help us to improve it.

  1. Guidance
  2. GovAssure
  3. Which CAF profile should I use?

Which CAF profile should I use?

Where to document the output of this step: GovAssure Scoping Document (Stage 2 – Part B: Identifying the in-scope critical systems for GovAssure)

Resource material: CAF profiles

Introduction to the CAF profiles

After identifying system boundaries, an organisation will decide which target Government CAF profile the system will be assessed against – either the Baseline or Enhanced profile. GovAssure currently only applies to systems carrying a maximum classification of OFFICIAL information.

The CAF was designed to be sector-agnostic and as future-proof as possible as cyber risks continue to evolve. So, the use of the CAF profiles allows the CAF to remain in-line with evolving threats. It was designed to support the principle of ‘profiles’, which define a target status for each contributing outcome (‘not achieved’, ‘achieved’, or for some contributing outcomes, ‘partly achieved’), serving as an expected baseline or a target achievement state to reach.

For the purposes of GovAssure, two profiles have been developed and agreed by GSG, NCSC and the Central Digital and Data Office (CDDO) and are designed to meet the objective of the Government Cyber Strategy to make Government services resilient to known threats and vulnerabilities. These profiles are as follows:


This profile will be the minimum baseline standard for all organisations. All organisations will need to be assessed against the Baseline profile. An attack on a system under the Baseline profile might be detected and remediated at a later point in the attack chain. The organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity.


For systems and organisations that face a higher threat, they will need to consider using the Enhanced CAF profile. High threat drivers could include organisation’s hosting Government CNI, PII datasets, those with wider dispersed geography and those performing national security functions. The Enhanced profile does not represent a higher classification tier or change the threat profile of official information. Above all it does not assume that an official system can or should be entirely impenetrable to an advanced state adversary.

How to assign the CAF Government profiles and factors that may affect its application

Once the organisation has identified the critical systems in scope for GovAssure, they are responsible for determining and assigning the Baseline or Enhanced profile to each systems, on a system-basis. By default, and for most systems, the Baseline profile is most commonly applied, but the Enhanced profile should be automatically applied to government CNI systems and where there may be factors that make the system a higher threat target for attack. A small minority of organisations may consider their whole organisation to fall under the Enhanced profile by default with some baseline exceptions. Organisations may have already performed the Criticalities analysis for CNI.

This selection of CAF profile should be determined in the first instance by the service and system owner and include consideration to the GovAssure Scoping Document as follows:

Deciding when to apply the Enhanced Profile

Given the diversity of systems within government, a guide has been produced which should not be considered exhaustive, but provides a roadmap to determining where the Enhanced profile may be appropriate. Examples of factors are shown on the next page.

Ultimately, the risk owner for the business output and the CISO (or equivalent role) should take a view on their risk tolerance to compromise in the system and whether it justifies the more comprehensive controls under the Enhanced profile.

Step 1. Use the Scoping document to identify critical systems

Step 2. Check, has your organisation performed the CNI Criticalities process?

Step 3a. If yes to 2. All Systems declared government CNI are in scope. Other systems reviewed under the process may still be candidates for the enhanced profile and should be considered on their merits and dependencies in this process

Step 3b. If no to 2. the organisation should separately be priorities completing a criticalities process and this should be flagged internally.

Step 4. Systems should be assigned target CAF Profile considering impact, intent and opportunity

Step 5. Considerations:

Consideration 1. Risk Owner Tolerance

Where risks owners have a particularly low tolerance to activities impacting their systems. Examples:

Consideration 2. Adversary Intent

Where specific factors relation to the system make it more of an attractive target for adversaries Examples:

Consideration 3. Heightened exposure threat

Where there is an opportunity for deliberate or opportunities adversary activities,or where exposure increases likelihood of harm through unintended consequences from wider activity. Examples:

Step 6. CISO (Or Equivalent) takes a view of all the systems in scope to determine any cases where the organisation may plan to assign the Enhanced profile

Step 7. Discuss and agree final profile allocation with GSG

An internal consultation should take place between a combination of service and systems owners in the first instance. The justification for considering applying the Enhanced profile should be documented in the GovAssure Scoping Document. The CISO or equivalent should provide independent challenge as to the holistic critical system landscape and whether they agree with the potential assignment of the Enhanced profile, and take a view across all the systems in scope.

Where an organisation comes to this conclusion (excluding CNI systems), they should consult with GSG to determine the factors leading to this decision. Any application will be based on the conditions of the specific system and relevant level of threat.

Documenting the results in the GovAssure Scoping Document

You should document the result of 2.4 in the GovAssure Scoping Document, Stage 2 - Part B: Identifying the in-scope critical systems for GovAssure in the section marked Applying the target Baseline or Enhanced Profile

Next Steps

By completing Stage 2 you will have developed an understanding of the critical systems that underpin the essential services (Stage 2 – Part A) and will have a prioritised and approved list of the critical systems you intend to take forward to the CAF self-assessment (Stage 3). You will also understand the Government CAF target profiles for each system that you intend to assess them against (Stage 2 – Part B). This will ensure that the appropriate level of assurance and controls are applied for each in-scope system.

You will then be in a position to discuss and agree the GovAssure Scoping Document with GSG.


As an organisation you have:

  1. Completed the GovAssure Scoping Document for the organisation – Stage 2 – Part A and Part B and developed an in-depth view of Critical Systems, their components and dependencies.
  2. Allocated a target CAF profile for them to be assessed against as part of the Stage 3 CAF self-assessment.
  3. A clear articulation of the intended scope for GovAssure to discuss and agree with GSG.
  4. A clear articulation of the intended scope for the CAF self-assessment, so that you’re in a position to plan ahead for the independent assurance review and help to begin commercial engagement.
  5. The ability to articulate Lenses 3-5 of the Five Lens model (for your in-scope systems).
  6. An agreed methodology for understanding the relative importance/prioritisation of the Critical Systems you’ve shortlisted for scoping consideration.
  7. Agreement of the GovAssure Scoping Document by the GovAssure Accountable Officer.
  8. Issued wider communications regarding GovAssure within the organisation to help drive support and engagement, particularly among system owners.

Back to Stage 2   Move on to Stage 3