Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Stage 2: Identify your in-scope systems and assign Government Cyber Assessment Framework (CAF) profiles

Author: Government Security Group

Last updated: 2025-08-28

Stage 2: Identify your in-scope systems and assign Government Cyber Assessment Framework (CAF) profiles

Stage 2 of GovAssure focuses on your organisation’s critical systems.

You will need to scope all of the critical systems in your organisation, select the ones for assessment in the current year, and assign them the appropriate Government Cyber Assessment Framework (CAF) profile.

During stage 2 you will continue to fill out the following parts of the scoping document:

  • part A – identify and define all of the critical systems that support your organisation’s essential services 
  • part B – select which systems will be assessed in the current year, document them and assign Government CAF profiles to them

Identify and define all of your organisation’s critical systems

In part A of stage 2, you must capture the high-level details of all the critical systems that support each essential service, and record them in your scoping document.

This should include:

  • the system name in full 
  • a description of the system
  • the essential services it supports
  • if it has previously been assessed by GovAssure
  • if the system is internet-facing

Internet-facing means systems which are accessed by any number of ports, protocols or services over the internet. GDS is collecting data about internet-facing services so that it can categorise and fix critical vulnerabilities across public domains.

Note: It is important that you use the full system name and do not use abbreviations or acronyms in your scoping document. This is so the name matches the data entry in WebCAF at stage 3.

Using the 5 Lens Model

If you have used the 5 Lens Model during stage 1, you can use lenses 3 and 4 in stage 2 to help identify your critical systems and the supporting infrastructure.

Sites that support the delivery of an essential service, such as physical data centres or hosted cloud providers, are not in scope for a GovAssure assessment. However, it is good practice to understand and document them during the scoping exercise. You can use lens 5 to do this.

Decide the systems you will assess

Your organisation must choose a practical number of critical systems to take through GovAssure. Your service and system owners must agree which systems to include.

The following questions can help you to decide which critical systems you will assess now and in future assessment years.

  1. Are the owners for the critical system engaged and are they aware of GovAssure?
  2. Is the system designated government-sector Critical National Infrastructure (CNI)? If the answer is yes, you must prioritise this system for assessment in the current year.
  3. How critical is this system to the delivery of your organisation’s essential services? You might ask: 
    • If this system stopped working, what would happen?
    • Are there other systems or processes that rely on the system?
    • What’s the financial and operational cost of downtime or loss of the system?
    • Would failure to operate create risk to the public or government? 
    • Would failure to operate violate a legal or regulatory requirement?

Document the systems for assessment

In part B of stage 2, you must document the details of each critical system being assessed in the current year, and record them in your scoping document.

You should record:

  • the full name of the system and the essential services it supports
  • a full description of the system, including why it has been considered within scope
  • a breakdown of the system components, such as applications and infrastructure
  • key dependencies required to deliver the system and its services
  • details of which other systems, suppliers, and organisations the system interacts with (the system boundary)
  • any system diagrams that support the other information captured

Your organisation may already have documentation that can help you get a high-level view of the critical system. These could be:

  • network diagrams
  • asset inventories
  • data flow diagrams
  • system architecture diagrams

System boundaries 

When you decide on a system boundary, it is important to be aware of how its size might affect other critical dependencies.

For example, if you decide on a boundary that is too narrow, you may exclude dependencies that are critical and that need to be assessed. Or if you decide on a large system boundary it could overlap with other systems or processes. If any of these are outside your organisation’s control they cannot be in scope for the assessment. 

Assign CAF profiles to your systems

The Cyber Assessment Framework (CAF) was developed by the National Cyber Security Centre (NCSC). When you have agreed which critical sytems are being assessed in the current year, you should then decide which Government CAF profile to assign to them.

There are 2 Government CAF profiles agreed by NCSC and GDS, “baseline” and “enhanced”. Each profile defines a target achievement level for every contributing outcome in the CAF. 

The profiles represent the standards that your organisation must meet to make government services resilient to known threats and vulnerabilities. These are set out in the Government Cyber Security Strategy (GCSS)

Assigning one of the CAF profiles to a system should be a collaborative exercise between the chief information security officer (CISO), the system owners and the cyber security team. For lead government departments, GDS cyber advisors will also be involved. 

It is important to consider the factors that may make the system a more attractive target, and if you believe there might be a low tolerance to the system being disrupted.

Baseline CAF profile

The Baseline CAF profile is the minimum baseline standard that organisations will be assessed against and is the suitable profile for the majority of critical systems. It is modelled on untargeted attacks by an unskilled attacker.

Enhanced CAF profile

The Enhanced CAF profile sets a higher standard of achievement and is modelled on attacks conducted by a moderately skilled or expert attacker. 

Your organisation must assign this profile to CNI systems.

You may also consider assigning it to systems that you believe are an attractive target for attack. 

There are a number of factors that may make a system more attractive to attackers. For example if the system:

  • creates a risk to life if it fails or is damaged
  • stores personally identifiable information (PII) datasets, with visible sensitive identity data (such as for vulnerable or protected individuals)
  • is involved in the delivery of national security functions
  • holds high value or important sovereign intellectual property, for example science and technology, defence, nuclear or finance information
  • has been attacked previously or there have been persistent attempts to access it
  • is used as a back-up for another critical system or process

If your organisation is dispersed geographically or operates in international geographic areas where UK presence may be targeted this can be a reason for assigning enhanced CAF profiles to your systems.

It is also important to consider the reputational and economic risks that could be caused by an attack on a critical system.

Note: If you assign the enhanced profile to a system and the profile’s target status is met, you should not assume that the system is entirely impenetrable to an advanced state adversary.

Decide which Government CAF profile to use

Using what you have recorded in your scoping document during stage 1, you should ask your service and system owner and CISO (or equivalent risk owner), to decide which CAF profile is necessary.

This means:

  • reviewing the context of the organisation and its mission, priorities and essential services
  • determining how significant the critical system is to the delivery of the essential service

If you are assigning the enhanced profile to a system, you should compare the system to others assigned the baseline profile and consider:

  • if the critical system has characteristics that differentiate it from other systems that make it an attractive target for attackers
  • the risk appetite towards the system and the impact to your organisation’s operations of compromise in the system
  • if more comprehensive controls under the enhanced profile are justified

Get your scoping document approved

When the scoping document has been completely filled in it will need to be cleared by the responsible individual within your organisation. 

The CISO or equivalent must:

  • review and sign off the scoping document
  • provide independent challenges to the scoping of the critical systems, including all profile assignments

When your scoping document has been cleared internally, you will need to share it with your GDS cyber advisor for review and sign-off.

Next steps

When you have completed stage 2 of GovAssure in your scoping document, you will have recorded the details of your organisation’s critical systems and the systems undergoing assessment in the current year. You will also have documented each system and assigned a Government CAF profile to them.

You will now be ready to complete your WebCAF self assessment at stage 3.

Back to stage 1   Proceed to stage 3

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now