Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  3. Introduction to the Cyber Assessment Framework (CAF)

Author: Government Security Guidance

Introduction to the Cyber Assessment Framework (CAF)

The Cyber Assessment Framework is a high level framework developed by the National Cyber Security Center (NCSC), the UK's technical authority on cyber security. It represents an industry framework that is used by operators of essential services under the Network and Information Systems regulations as well as more widely across the private sector, including Critical

Why adopt the CAF?

The Cyber Assessment Framework is a high level framework developed by the National Cyber Security Center (NCSC), the UK’s technical authority on cyber security. It represents an industry framework that is used by operators of essential services under the Network and Information Systems regulations as well as more widely across the private sector, including Critical National Infrastructure (CNI) sectors. Adopting the CAF ensures that government is assessing its cyber resilience in a consistent and comparable way to other organisations that operate the UK’s essential services. This will also lead to a much greater central visibility of cyber capability, risk and resilience than is possible to gather currently and will allow for greater insights and targeted remediation activities where they are most required.

What is the CAF?

NCSC’s CAF provides a systematic and comprehensive approach for assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible for them. The framework is comprised of core components, including ‘objectives’, ‘principles’, ‘contributing outcomes’ and ‘indicators of good practice’ (IGPs). The CAF is intended to be used both by the organisation itself (for self-assessment) and by the independent assessor during the assurance review .

The CAF explained

The CAF is structured around four overall security objectives and 14 cyber security principles or outcomes:

Objective A: Managing security risk – Appropriate organisational structures, policies and processes are in place to understand, assess, and systemically manage security risks.

Principles

  • A1 Governance
  • A2 Risk management
  • A3 Asset management
  • A4 Supply chain

Objective B: Protecting against cyber attack – Proportionate security measures are in place to protect core government functions and critical systems from cyber attack.

Principles

  • B1 Services protection policies and processes
  • B2 Identity and access control
  • B3 Data security
  • B4 System security
  • B5 Resilient networks and systems
  • B6 Staff awareness

Objective C: Detecting cyber security events – Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect core government functions.

Principles

  • C1 Security monitoring
  • C2 Proactive security event discovery

Objective D: Minimising the impact of cyber security incidents – Appropriate organisational structures, policies and processes are in place to understand, assess and systemically manage security risks.

Principles

  • D1 Response and recovery planning
  • D2 Lessons learned

The objectives should be viewed as interdependent, for example, it is important to have a strong cyber governance and risk foundation, as well as understanding what to secure (Objective A) before being able to adequately implement measures to protect it (Objective B). The CAF should also contribute to performing continual security improvement activity through the detection of incidents and events contributing to lessons learned and the continual refinement of existing security measures.

Objectives A and D are generally considered “organisational” level objectives. Generally, it would be likely that answers from one assessment can be re-used to cover multiple critical systems. However, we do recognise that in larger organisations this level of agreement may not always apply and there may be different arrangements applicable to individual systems. For the most part, Objectives B and C are considered “system specific” and therefore each system is assessed independently.

Contributing outcomes

Each of the four objectives and 14 outcomes are supported by a series of 39 contributing outcomes.

An outcome is a high-level security principle that contributes to GovAssure compliance.

For example, in NCSC’s CAF Data and System Security are important outcomes of Objective B – being two elements, among others, that contribute to the objective protecting against cyber attack

A contributing outcome supports the achievement of security outcomes and represents specific requirements to mitigate cyber risks faced by government organisations.

As an example, the contributing outcomes of ‘understanding data’ contributes to the outcome for ‘B3: data security’.

Contributing outcomes can be assessed as ‘not achieved’, ‘achieved’, or for some contributing outcomes, ‘partly achieved’.

This means the organisations should assess the security posture and demonstrate that they are using appropriate and proportionate security measures in relation to the contributing outcomes. It is not expected that an organisation will receive an ‘achieved’ status for every outcome, as this would likely be disproportionate to the risks faced by an OFFICIAL system and would lead to inefficient use of resources. This is where specific ‘CAF Government Profiles’ apply, as described below.

Government CAF profiles

The CAF was designed to be sector-agnostic and as future-proof as possible. It was designed to support the principle of ‘profiles’, which define a target status for each contributing outcome (‘not achieved’, ‘achieved’, or for some contributing outcomes, ‘partly achieved’), serving as an expected baseline or a target state to reach.

For the purposes of GovAssure, two profiles have been developed and agreed by Government Security Group (GSG), NCSC and Central Digital and Data Office (CDDO). Please note that access to the two GovAssure CAF profiles is only available via signed in access to security.gov.uk.

These were developed by modelling the most likely impactful government organisation attacks against the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ®) framework and determining the indicators of good practice within the outcomes of CAF that would mitigate the attack. The CAF Government profiles are as follows:

  • Baseline profile: This profile will be the minimum baseline standard for all organisations. All organisations will need to be assessed against at least the Baseline profile. An attack on a system under the Baseline profile might be detected and remediated at a later point in the attack chain, and the organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity.
  • Enhanced profile: For systems and organisations that face a higher threat, they will need to consider using the Enhanced CAF profile. High threat drivers could include organisations hosting government CNI, Personally Identifiable Information (PII) datasets, those with wider dispersed geography and those performing national security functions. The Enhanced profile does not represent a higher classification tier or change the threat model of OFFICIAL information. Above all it does not assume that an OFFICIAL system can or should be entirely impenetrable to an advanced state adversary.

Indicators of Good Practice (IGPs)

NCSC developed IGPs to help organisations assess their cyber security practices against the contributing outcomes. These are not intended to remove the use of cyber security expertise and organisation knowledge and are not designed to be used as a ‘tick-list’. They are designed to provide a good starting point for discussions and can help to ‘workshop’ conversations around the achievement of the overall contributing outcomes and should be used in conjunction with NCSC and Government guidance.

The IGPs are not intended to be exhaustive, and organisations may implement additional good practice or compensating controls which would otherwise return an “Achieved” or “Partially Achieved” Contributing Outcome.

Where alternate good practice is implemented, this must be appropriately evidenced, and the assurance reviewers must consider this as part of their review.

Organisations will be required to demonstrate how they meet each Contributing Outcome and the stated IGPs by providing statements and evidence.

The GovAssure process will result in 39 individual self-assessed judgements on contributing outcomes reflecting the circumstances of the system and wider organisation.

Each outcome is associated with a set of IGPs which are broken down into the following three categories with an explanation of how they should be interpreted, and it is recommended that these are worked through from top to bottom:

  1. Not achieved: The ‘not achieved’ column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of ‘not achieved’ at the contributing outcome level.
  2. Partially achieved: When present, the ‘partially achieved’ column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. Assessing at ‘partially achieved’ should represent more than giving credit for doing something vaguely relevant.
  3. Achieved: The ‘achieved’ column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of ‘achieved’ at the contributing outcome level.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now