Stage 3: Self-assessment
In stage 3 of GovAssure organisations complete a self-assessment for each critical system on WebCAF.
Stage 3 – CAF self-assessment
Once stages 1 and 2 of the GovAssure assessment are complete and the scoping document is signed off, the organisation can proceed to assess each of the in-scope systems against the assigned government CAF profiles.
Note: It is important to prepare for Stage 4 by ensuring the required independent assurance or peer reviewer will be in place. This means that the review can begin as soon as Stage 3 is complete.
To complete a self-assessment, the organisation must use the WebCAF tool.
Organisations are not expected to assess each contributing outcome across every system in scope as “Achieved”. There is a target level for achievement that is set by the CAF profiles, and as part of their briefing the individuals completing the WebCAF should be made aware of this.
Also the CAF is intended to be flexible: if an indicator of good practice (IGP) is not met, it is possible to show how alternative controls or methods meet contributing outcomes. Alternatively an organisation can decide that certain IGPs do not apply to them as they are unnecessary or disproportionate. Such decisions should be recorded and included in the self-assessment, so that they can be reviewed by the independent assurance reviewer (or peer reviewer) in Stage 4.
Note: CAF outcomes can only be assessed as “Partially Achieved” if there are “Partially Achieved” IGPs present and being met. “Partially Achieved” does not mean that a subsection of “Achieved” IGPs have been met.
Finally, before commencing the self-assessment, the organisation should ensure that it has identified important stakeholders and communicated the GovAssure process and expectations to them.
Selecting people to take part in the assessment
The organisation must select individuals who have the required knowledge to complete the WebCAF, and then record their details in the GovAssure RASCI template.
These individuals will usually be owners of the in-scope systems and members of cyber security teams, but sometimes it may be appropriate to include other colleagues. For example, if an organisation has an overarching governance structure those responsible for it could complete Objectives A and D for the organisation as a whole.
The organisation must train and support these individuals so that they can:
- provide accurate and honest statements in support of the contributing outcomes
- keep within the parameters agreed in the scoping document
- show how each system meets the requirements of its assigned CAF profile (Baseline or Enhanced)
- assess the wider organisational security arrangements
- support the assessment with appropriate evidence
- take full responsibility for the accuracy of the information submitted, ensuring that it is checked and signed off appropriately
Collecting evidence
A key part of the self-assessment is the collection of existing supporting evidence. Note that evidence should not be created specifically to support the assessment.
Evidence can include, but not be limited to:
- the cyber strategy, policies, and procedures
- other supporting strategies
- security initiatives and improvement plans
- meeting minutes
- governance reporting and risk management arrangements
- roles and responsibilities
- recent examples of cyber security assessment or assurance activities
- asset inventories
- network and in-scope system architecture diagrams
The GovAssure team has developed a set of examples of the types of evidence for indicators of good practice across the target Baseline and Enhanced profiles, and these examples are available on WebCAF.
The organisation must create a suitably secure repository for the evidence, as it cannot be submitted through or stored on WebCAF. The repository should be structured in such a way that aligns with the CAF framework and the evidence should be comprehensively cross-referenced via hyperlinks from the relevant IGP statements and outcomes in WebCAF. This repository will be made available to the reviewer during Stage 4.
Gathering evidence from pre-existing frameworks
The CAF is consistent with a number of commonly used cyber security frameworks that are used to manage risk, structures, and processes. The GSG has created a CAF mapping document guide to help organisations that use one or more of these frameworks to find evidence that supports their GovAssure self-assessment. Note that this does not directly map the CAF to these frameworks; rather, the guidance should be used as a suggestion of where to look for evidence.
The frameworks included in the guidance are:
- NIST SP 800-53 Rev.4
- CIS CSC
- COBIT 5
- ISA 62443-2-1: 2009
- ISA62443-3-3: 2013
- ISO/IEC 27001: 2013
6 suggestions for conducting the self-assessment
These suggestions are to help the people responsible for completing a self-assessment ensure the process runs smoothly and successfully.
1. Share information appropriately
When completing the scoping document, it is important to ensure that the information it contains is gathered and shared appropriately. The details of each system within scope should be shared with everyone involved in completing the self-assessment for that specific system. However, for reasons of confidentiality or security, it may not be appropriate to share some or all the details of a specific system with the owners of other systems.
Therefore, the people responsible for the scoping document may have to gather system information separately and populate the document themselves, rather than by sharing it with all system owners and allowing them to enter the details of their systems.
2. Appoint a WebCAF lead
We recommend appointing an individual to take responsibility for controlling access and permissions for the people who will use WebCAF for the self-assessment.
3. Run workshops for contributors
The organisation cyber team should run workshops to prepare for the self-assessment. These workshops should cover:
- an introduction to the CAF, so that the contributors and stakeholders develop a good understanding of the CAFs structure and how it should be interpreted
- a delivery plan for self-assessment, with a schedule that includes checkpoints to monitor progress and support for the timing of the independent assurance review
- an initial view of what responses might look like at the level of the contributing outcomes, and how they will be provided – by system owners, the cyber security team, or at an enterprise level
- considering the target CAF profiles for each system in scope to understand what is required for each contributing outcome, and also to avoid expending effort where it is not required – for example, Principle: A4 Supply Chain only requires a “partially achieved” result for systems assigned to the Baseline profile
- identifying the individuals who hold the information required to prove that indicators of good practice (IGPs) are met for a system – note that this information may be held by someone other than the system owner
4. Assign WebCAF roles
WebCAF supports many roles and responsibilities to allow for joint working, and has customisable permissions – such as “edit” or “read only” – to restrict access to individual system assessments as required.
There are three categories of user profiles:
- Organisation level – can access the full view of the organisation, including all systems and their related assessments (lead/user/viewer)
- System level – can only access the systems and related system assessments to which they are granted access (user/viewer)
- Assessors – can access the assessments to which your organisation grants access (for independent assurance reviewers).
5. Hold checkpoint meetings
When setting the self-assessment timeline, organisations should schedule regular checkpoint meetings for the people involved to monitor progress.
These checkpoints will help ensure that the self-assessment remains on track, and will also provide an opportunity to review the quality of the responses and evidence being gathered. Any issues can therefore be identified and resolved in good time before submission and the independent review in stage 4.
For example, organisations should begin their self-assessment by completing objective A first, and then informing the GSG when it is complete. The GSG will then perform a high-level review of the work done and give feedback that might be helpful for completing the rest of the self-assessment. This feedback could be shared with the necessary stakeholders during an internal checkpoint meeting.
6. Sign-off and submission of the self-assessment
The organisation should have a documented and agreed internal process for signing off and submitting the self-assessment, which should include appropriate senior oversight and quality assurance. At a minimum requirement, sign off and submission of the final self-assessment should be agreed between the GovAssure lead and senior responsible officer (SRO).
Using WebCAF for the self-assessment
WebCAF is a bespoke platform for organisations to submit their cyber assurance framework (CAF) responses during the GovAssure process, and for the appointed assessors to review these responses.
Note: The wording used to describe the indicators of good practice (IGPs) in WebCAF may differ slightly from those in the original NCSC CAF, but they should be considered identical.
WebCAF user roles
WebCAF supports a number of different roles and responsibilities to allow for collaborative working. It is possible to customise individual roles to restrict access to specific system assessments, and also to specify ‘edit’ and ‘read only’ permissions. Organisations using WebCAF must nominate an organisation lead to take responsibility for configuring access rights and permissions.
Conducting a WebCAF self-assessment
To conduct an assessment, users must log into WebCAF and work through the objectives for each system they are responsible for. The WebCAF dashboard displays the assessments and systems that each user has access to.
At a high level, a typical process for entering system information is as follows:
- Log into WebCAF. The WebCAF dashboard is displayed.
- Under Assessments, click View assessments. The Assessment page is displayed.
- Click the name of the required system to see its details and objectives. Tip: Use the display filters to help locate the system if required.
- Scroll down to the Objectives section, then click to expand the required objective. The principles for the objective are displayed in a table, with rows for each contributing outcome.
- Click the name of a contributing outcome. The details page for the outcome is displayed.
- Complete the fields as required with the information gathered using the evidence collation template.
- Where required, add references to supporting evidence for each IGP using the View, add or remove links to supporting evidence drop-down option. Note: some principles have additional mandatory questions, which are used to gather additional data on cross-government cyber security needs.
- When the fields are complete, click Save and go to… at the bottom of the page to proceed to the next contributing outcome. Tip: alternatively, users may save progress and return to complete the details later by clicking Save and go to summary.
For each individual IGP statement, organisations must:
- indicate whether the statement applies by selecting ‘Not applicable,’ ‘Yes’, or ‘No’
- provide a supporting narrative within the Organisation comments box at the IGP grouping level
- justify ‘Not applicable’ responses – for example, explain that the process does not apply to the system, or that a different control is in place
Note: some Achieved and Partially achieved IGP statements have identical wording to each other. For example, B3.a.1 and B3.a.10 both state “You have identified and catalogued all the data important to the operation of the essential function, or that would assist an attacker.” In these cases, the organisation must record the same response to both IGP statements.
Interpreting the IGP answers summary in WebCAF
Each contributing outcome contains a table that provides a summary view of all the answers given against each IGP for that outcome. The following is an example table for Principle B3.a Understanding data:
This gives a result of “Partially achieved” for this contributing outcome, for the following reasons:
- 2 of the 9 “Achieved” IGP statements available for this contributing outcome are marked “Yes”, while 7 are marked as “No” – meaning that the criteria for achieving an overall “Achieved” status are not fully met
- All 6 of the “Partially Achieved” IGP statements available for this contributing outcome are marked “Yes” – meaning that all 6 describe the organisation or system accurately
- None of the “Yes” statements in the first row are marked as “Not achieved” – if one had, the outcome status would also be “Not achieved”
Supplementary questions
On WebCAF there are additional supplementary questions relating to the following contributing outcomes:
- A3.a, B2.a, B2.c, B2.d, B3.b, B3.d, B4.d, C1.a, C1.d, D1.a and D1.c.
These questions are not part of the CAF, and they are only required for the GovAssure self-assessment to help provide additional context to your answers in a structured data format. The supplementary questions of GovAssure are reviewed annually
Components of the CAF
The NCSC’s Cyber Assurance Framework (CAF) comprises 14 cyber security and resilience principles, which are grouped under 4 objectives. The objectives are:
- Managing Security Risk
- Protecting against cyber attack
- Detecting cyber security events
- Minimising the impact of cyber security incidents
These are supported by 39 contributing outcomes, each of which represent specific requirements to mitigate the cyber risks faced by government organisations.
Contributing outcomes can be marked as “achieved”, “partially achieved”, or “not achieved”, depending on how well they meet their indicators of good practice (IGPs). These are statements that are used to assess whether the system under test meets the requirements of a contributing outcome. IGPs can be marked as “Yes”, “No”, or “Not assessed”.
Objectives and principles
The CAF objectives are interdependent in nature; for example, a strong cyber governance and understanding of what to secure (objective A) is required to implement protective measures (objective B).
Objectives A and D are considered to be more focused on the organisation and can help set its strategic direction for security, while objectives B and C are considered to be system specific. However, note that all the systems within scope should be assessed against all principles. Within a large and complex organisation, this may vary between departments and systems.
Indicators of good practice
The IGPs are designed to provide a good starting point for workshop discussions on achieving the contributing outcomes, in conjunction with other NCSC and government guidance.
They are not intended to be exhaustive, nor are they the only way to determine whether a contributing outcome has been fully or partially achieved. For example, an organisation may have implemented sufficient good practices or compensating controls not covered by the IGPs. If this is the case, the person completing the relevant part of WebCAF should record this information in the comments, and ensure evidence is provided.
Example
The following example shows how the components of the CAF are presented within WebCAF:
- Objective B: Protecting against cyber-attack contains principle B3: Data Security.
- Principle B3 has a contributing outcome called B3.c: Stored Data.
- Contributing outcome B3.c contains 5 IGP groups.
In WebCAF, the IGPs for each contributing outcome are collected in groups that logically belong together. That is, the IGP statements are arranged to show more clearly whether a specific outcome has been achieved, partially achieved, or not achieved.
In contributing outcome B3.c, IGP group 1 contains the following IGP statements:
- IGP B3.c.1: You have only necessary copies of this data. Where data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. This IGP is part of the Achieved set.
- IGP B3.c.6: All copies of data important to the operation of your essential function are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. This IGP is part of the Partially Achieved set.
IGP B3.c.10: You have no, or limited, knowledge of where data important to the operation of the essential function is stored. This IGP is part of the Not Achieved set.
For the contributing outcome B3.c to be marked “Achieved”, the person responsible for completing this section of the assessment would have to record answers of “Yes” for IGP B3.c.1 and c.6, and “No” for c.10.
Note: the answers for the other IGP groupings would also be taken into account for the mark assigned to B3.c.
Output
At the end of Stage 3 the WebCAF tool should show how each system within scope has been assessed against the appropriate CAF profile. Where a system has not met an IGP, the organisation should explain either the alternative method in which the contributing outcome is met, or why the IGP does not apply in this instance.
There should also be an appropriately structured and secured repository of supporting evidence, cross-referenced from the completed WebCAF assessment.
Once the organisation and the GSG agree these conditions are met, the organisation can export their self-assessment from WebCAF and then proceed to Stage 4.
Note: some organisations may choose to run stages 3 and 4 in parallel. However, stage 4 cannot be completed until the WebCAF responses and evidence repository are signed off by the organisation and submitted to WebCAF.
Further information
The NCSC’s introduction to the Cyber Assessment Framework