Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. Stage 3: Complete your self-assessment using WebCAF

Author: Government Security Group

Last updated: 2025-10-10

Stage 3: Complete your self-assessment using WebCAF

During stage 3 of GovAssure, you will assess your systems, gather supporting evidence and complete your self-assessment against NCSC’s Cyber Assessment Framework (CAF).

You will use the digital service WebCAF to complete your self-assessment. Your reviewer will use WebCAF in stage 4 to see your responses and complete their assessment.

Before you start stage 3, your scoping document must be signed off by the GovAssure team. Your GDS cyber advisor or Lead Government Department will let you know when this has been done.

Understanding the Cyber Assessment Framework (CAF)

GovAssure assesses critical government systems against the NCSC’s Cyber Assessment Framework (CAF).

Note: For assessments in 2025-26, GovAssure is using CAF version 3.2. Please be aware that this is not the latest version published by NCSC.

The CAF helps organisations:

  • assess and improve their cyber security and resilience
  • manage cyber risks 
  • protect essential services from cyber threats

Structure of the CAF

Objectives

The 4 objectives of the CAF are: 

  • Objective A: Managing security risk
  • Objective B: Protecting against cyber attack
  • Objective C: Detecting cyber security events
  • Objective D: Minimising the impact of cyber security incidents

The objectives are interdependent. For example, a strong cyber governance and understanding of what to secure (objective A) is needed in order to implement protective measures (objective B).

Principles

There are 14 principles which define cyber security outcomes and support the CAF objectives. Your organisation will have its own approach to achieving each principle.

Contributing outcomes

Each principle has a collection of security and resilience contributing outcomes, totalling 39.

Indicators of good practice (IGPs) 

Each contributing outcome is associated with a set of indicators of good practice (IGPs). These describe what you would expect to see in a system or organisation that has ‘achieved’, ‘partially achieved’ or ‘not achieved’ the contributing outcome.

You must select the relevant IGP statements for your system or organisation when you complete your self-assessment.

Your responses will affect your contributing outcome status. 

Changes to the self-assessment process and WebCAF 

GovAssure has made some changes to the self-assessment process in 2025-26. This includes a re-design of the WebCAF digital service.

Please make yourself familiar with these changes before you start preparing your self-assessment.

Providing comments

You only need to provide comments for individual IGPs if you have alternative controls or exemptions in place.

You can use the contributing outcome summary to provide supporting, evidence-backed statements at IGP level.

IGP groupings

Because not all IGPs have corresponding statements for ‘achieved’ and ‘not achieved’, IGPs are no longer grouped on WebCAF.

You must read every individual IGP and select those that apply to your system or organisation.

Contributing outcome B3.d – mobile data

We have removed the ‘Not applicable’ option for the contributing outcome B3.d – mobile data. 

This is because this exemption was previously being used for mobile phones, rather than all mobile devices such as laptops and tablets.

Note: If you believe this outcome still does not apply to your system, you will need to comment on this for each IGP response.

Supporting evidence 

For data security reasons, WebCAF does not store supporting evidence so the option to link to supporting evidence has been removed.

Preparing for your WebCAF self-assessment 

Before you complete your self-assessment on WebCAF, you will need to first prepare it in your organisation.

You should: 

  • agree and document an internal process for producing and signing off the self-assessment
  • agree who will be responsible for what in the self-assessment process, for example, system owners, the cyber security team, third-party suppliers, or enterprise-level colleagues
  • make sure stakeholders who will be supporting the self-assessment have a good understanding of the CAF and the relevant Government CAF profile

You can use the GovAssure self-assessment and evidence collation template to record your responses as this is the same format as WebCAF.

GovAssure recognises that organisations may prefer their own way of working, so you can use any method that suits you to prepare your self-assessment.

Collecting and recording evidence

An important part of completing your self-assessment is collecting existing supporting evidence. Suitable supporting evidence can vary but might include:

  • policies
  • strategies
  • procedures
  • meeting minutes
  • plans

It is good practice to collect some or all the following documentation as a foundation for the self-assessment:

  • organisational and governance structure
  • governance reporting arrangements
  • risk management arrangements
  • roles and responsibilities
  • cyber security strategy or planned security initiatives and improvements
  • recent examples of any cyber security assessment or assurance activities
  • asset inventories
  • network architecture diagrams
  • architecture diagrams for each system in-scope (you may have already included this in your scoping document)

The CAF is consistent with several other cyber security frameworks that are used to manage risk, structures, and processes. If you use any of these frameworks in your organisation, you can use the CAF mapping document to find evidence that supports your self-assessment.

The frameworks included in the mapping are:

  • NIST SP 800-53 Rev.4
  • CIS CSC
  • COBIT 5
  • ISA 62443-2-1: 2009
  • ISA 62443-3-3: 2013
  • ISO/IEC 27001: 2013

Note: Any evidence you provide should be relevant and not created solely to support your self-assessment. 

GovAssure does not store evidence on WebCAF, so we suggest that you create a secure repository for your evidence, structured in line with the CAF. You can use the GovAssure self-assessment and evidence collation template, or you may choose to develop your own. You should make sure that access to your evidence repository is managed securely.

You will need to give your reviewer access to your evidence repository for stage 4. The reviewer will compare your WebCAF self‑assessment with the evidence, and decide whether it supports your IGP statement responses and overall contributing outcome status.

In order to make the process straightforward for your stage 4 reviewer, it would help to give them documentation that explains which materials they need to read. Make sure you cross-reference this clearly.

Responding to IGPs

You will need to review all IGP statements and select those that apply to your system or organisation.

The options are:

  • achieved
  • not achieved
  • partially achieved

Note: Your responses will affect your contributing outcome status. You must select all ‘achieved’ or ‘partially achieved’ statements to get that outcome.

Achieved status

A contributing outcome will be considered ‘achieved’ if you select all the ‘achieved’ and none of the ‘not achieved’ IGPs.

Partially achieved status

For some contributing outcomes you have the option to select from a set of ‘partially achieved’ IGPs. 

Note: A status of ‘partially achieved’ does not mean that some ‘achieved’ IGPs are true and some are not.

The ‘partially achieved’ IGPs describe the typical characteristics of an organisation delivering specific cyber security and resilience benefits, but not to the extent expected from ‘achieved’. 

Depending on the contributing outcome, ‘partially achieved’ may meet the relevant Government CAF profile. 

For a contributing outcome status to be ‘partially achieved’, you must select all ‘partially achieved’ IGPs and have left un-selected:

  • one or more ‘achieved’ statement
  • all ‘not achieved’ statements

Even if you have selected all ‘achieved’ IGP statements, you should still answer all ‘partially achieved’ statements accurately. This will help your reviewer to think about whether or not ‘partially achieved’ is appropriate if a contributing outcome needs to be downgraded from ‘achieved’.

There are instances in the CAF where ‘partially achieved’ statements are identical to ‘achieved’ statements. You should make the same selection for both statements.

Note: Where you have selected an ‘achieved’ IGP that exceeds the expectations of a similar ‘partially achieved’ IGP, you must also select the ‘partially achieved’ IGP. 

For example, if you select an ‘achieved’ IGP that says you ‘review a document regularly’, you must also select the ‘partially achieved’ statement that says you ‘review a document occasionally’. 

Not achieved status

Your contributing outcome status will be ‘not achieved’ if you select one or more ‘not achieved’ IGPs. 

Your contributing outcome status will be ‘not achieved’ if you do not select all ‘achieved’ or ‘partially achieved’ IGP statements. 

When to add comments to an IGP

You only need to include comments with your IGP selection in some situations. 

For example, an ‘achieved’ or ‘partially achieved’ IGP statement may not be true about your system or organisation. But you believe this should not affect your overall contributing outcome status.

If this is the case, you must still select the statement and add a comment to explain your reasons.

Your reasons could include:

  • you have alternative controls or exemptions in place
  • the wording of the IGP statement is not applicable to the system being assessed
  • compensating measures are in place which mitigate the IGP statement

Your comments will be considered by your reviewer during stage 4.

Examples of alternative controls or exemptions

IGPs are designed to be widely applicable and represent important examples of what should be considered in a self-assessment. But we recognise they may be different to the controls and practices that your organisation has in place.

For example, your organisation may not be able to apply multi-factor authentication (MFA) to legacy or operational technology. But you could be meeting the overall aims of the contributing outcome by using other compensating controls, such as:

  • physical access controls
  • security monitoring
  • network segmentation

The reasons you provide for using alternative controls or exemptions should be based on expert judgement and evidence. They must be specific to the assessment and the context and circumstances of your organisation. 

Contributing outcome status

When you complete your WebCAF self-assessment, the system will automatically calculate a status based on your IGP selections.

To get a contributing outcome status of ‘achieved’ or ‘partially achieved’, you must have selected all relevant IGP statements. This includes any IGPs you have selected and added comments about alternative controls or exemptions.

If you do not agree with the suggested contributing outcome status, you will be able to return to the IGP statements to review your responses. 

Writing a contributing outcome summary

You will need to write a summary of up to 1,500 words for every contributing outcome.

At stage 4, your reviewer will use the summary to understand how your IGP responses and evidence supports your contributing outcome status.

Make your summary clear and evidence-based. This will help your reviewer to confirm your compliance without needing to ask for clarification. It will also help them to make a decision if they are considering downgrading or upgrading your contributing outcome status.

In your contributing outcome summary, you should:

  1. Be specific to your organisational context.
  2. Confirm the processes and controls in place.
  3. Explain how processes and controls are managed and who is responsible.
  4. Explain how often your organisation reviews processes.
  5. Describe how key controls and processes support the contributing outcome. 
  6. Include references to your supporting evidence and explain how you implement these controls. 
  7. Make sure that you reference your responses to IGPs, including where you have commented on alternative controls or exemptions.  
  8. Include any gaps or limitations that your organisation faces with cyber security measures.

Note: It is important that you write a summary even if your status is ‘not achieved’. This will allow the reviewer to provide more targeted recommendations in their final report.

Completing your WebCAF self-assessment

After your scoping document has been signed off at the end of stage 2, the GovAssure team will add your systems into WebCAF.

They will also create an account for your organisation’s GovAssure lead in WebCAF. Your GDS cyber advisor or your Lead Government Department will let you know when this has been done. 

Session timeout on WebCAF

When you have logged into WebCAF to start your self-assessment, you will be timed-out if you are inactive for 90 mins to protect your security.

If you have already saved pages, these will be stored securely in WebCAF.

If you are timed out while working on a page, anything you have done on that page will not be stored and you will have to start it again.

Accessing WebCAF

You can give two types of users access to WebCAF from your organisation. These are: 

  • organisation lead who can add users, start new self-assessments, view and edit self-assessments, and submit self-assessments
  • organisation user who can view and edit draft self-assessments which have already been started

Your organisation lead will be able to access WebCAF and add further users once their account has been created by the GovAssure team. 

Starting a WebCAF self-assessment

When you start a new WebCAF self-assessment, you should: 

  1. Select the system from the list.
  2. Choose the Government CAF profile you have assigned to the system in your scoping document.
  3. Choose the review type you have agreed with your GDS cyber advisor or Lead Government Department.

Working through the contributing outcomes

As you work through each contributing outcome, you will need to select: 

  • each IGP statement that is true about your system or organisation
  • any additional IGP statements where you have alternative controls or exemptions in place and add your comments

When you have responded to the IGP statements, WebCAF will calculate a contributing outcome status. If you disagree with the status, you can go back and edit your IGP responses.

If you agree with the status, you can write your contributing outcome summary of up to 1,500 words. 

Note: Some ‘partially achieved’ IGP statements are identical to ‘achieved’ statements. These will be highlighted in WebCAF. You must make the same selection for both statements.

Submitting your WebCAF self-assessment

When you have completed all of the contributing outcomes, you will be able to:

  • view a summary of your status against each contributing outcome
  • see if you have met the target Government CAF profile for each contributing outcome
  • send your self-assessment for review
  • download a copy of your WebCAF self-assessment 

Next steps

When you have submitted your WebCAF self-assessment, your independent assessor or peer reviewer will be able to start the stage 4 review process.


Back to stage 2   Proceed to stage 4

 

 

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now