Stage 2: In-scope systems and assigning target CAF profile
Stage 2 of GovAssure focuses on the scoping of critical systems and assigning the appropriate Government CAF profile.
In stage 2 of GovAssure, organisations identify and document the critical systems and infrastructure that support their essential services, capturing this information in the scoping document. This allows the organisation to determine which systems to include in the scope of the assessment, and to assign the appropriate Government CAF profile to each one.
Stage 2 of GovAssure is divided into 2 parts:
- Part A: Identify and select the critical systems
- Part B: Document the systems and assign CAF profiles
Part A: Identify and select the critical systems
The organisation must capture the high-level details of all the systems that support each essential service. This should include:
- the system name
- the essential service(s) and function(s) it supports
- the core IT infrastructure that underpins the service, such as the network or third-party provider
- a breakdown of the system’s components if appropriate
Lenses 3 and 4 of the 5 lens model will help identify these systems and the supporting infrastructure. Also, organisations are likely to have existing documentation that can help to inform a high-level view of the network and underlying critical systems. Such documents include:
- network diagrams
- asset inventories
- data flow diagrams
- system architecture diagrams
With this information, the organisation should then select the systems to be included within the scope of the GovAssure assessment.
Organisations should prioritise and select a practical number of critical systems to take through the assessment. This could be a mix of operational, support, and analytic systems, and the organisation should seek agreement from service and system owners when deciding which ones to include.
Note: Systems that are not included in scope currently can be considered for inclusion in future assessments.
The final selection of in-scope systems will be agreed with the Government Security Group (GSG) before progressing to the CAF self-assessment in stage 3.
Note: Lens 5 – Sites/locations – focuses on identifying any sites that support the delivery of an essential service, such as physical data centres or hosted cloud providers. While these locations are not generally considered within scope for a GovAssure assessment, it is good practice to understand and document them during the scoping exercise.
Part B: Document the systems
The organisation must document the details of each of the in-scope critical systems in this part of the scoping document.
As well as the name and service(s) each critical system supports, as captured in part A of this stage, the organisation should document the following:
- a full description of the system, including why it has been considered within scope
- a breakdown of the system components, such as applications and infrastructure
- key dependencies required to deliver the system and its service(s)
- the system boundary – details of which other systems, suppliers, and organisations the system interacts with
- any system diagrams that support the other information captured
Note: while a system boundary that is too narrow may result in critical dependencies being excluded, overly large system boundaries can also cause problems. For example, it may overlap with other systems that are outside the organisation’s control, which means exposure to the risks to those systems without control over them. It could also require a disproportionate effort to assess these systems during stage 3.
Part B: Assign the Government CAF profile
Once the critical systems have been documented, the organisation should then determine which Government CAF profile to apply to each system.
Introduction to the CAF profiles
The CAF was designed to be sector-agnostic and as future-proof as possible as cyber risks continue to evolve. So, the use of the CAF profiles allows the CAF to remain in-line with evolving threats. It was designed to support the principle of ‘profiles’, which define a target status for each contributing outcome (‘not achieved’, ‘achieved’, or for some contributing outcomes, ‘partly achieved’), serving as an expected baseline or a target achievement state to reach.
For the purposes of GovAssure, two Government CAF profiles have been developed and agreed by GSG, NCSC and the Central Digital and Data Office (CDDO) and are designed to meet the objective of the Government Cyber Strategy to make Government services resilient to known threats and vulnerabilities. These profiles are as follows:
Baseline
This profile will be the minimum baseline standard for all organisations. All organisations will need to be assessed against the Baseline profile. An attack on a system under the Baseline profile might be detected and remediated at a later point in the attack chain. The organisation may not have the capability to detect it independently but might be notified of it by a third party in the case of more sophisticated activity.
Enhanced
For systems and organisations that face a higher threat, they will need to consider using the Enhanced CAF profile. High threat drivers could include organisation’s hosting Government CNI, PII datasets, those with wider dispersed geography and those performing national security functions. The Enhanced profile does not represent a higher classification tier or change the threat profile of official information. Above all it does not assume that an official system can or should be entirely impenetrable to an advanced state adversary.
How to assign the CAF Government profiles and factors that may affect its application
Once the organisation has identified the critical systems in scope for GovAssure, they are responsible for determining and assigning the Baseline or Enhanced profile to each system, on a system-basis.
Assigning CAF profiles to systems should be a collaborative exercise between the chief information security officer (CISO), the cyber security team, the system owners, and the GSG. During this exercise it is important to consider factors that may make each system a more attractive target, and to determine whether there is a particularly low tolerance to attacks impacting the system. GovAssure currently only applies to systems carrying a maximum classification of OFFICIAL information.
By default, and for most systems, the Baseline profile is most commonly applied, but the Enhanced profile should be automatically applied to government CNI systems and where there may be factors that make the system a higher threat target for attack. A small minority of organisations may consider their whole organisation to fall under the Enhanced profile by default with some baseline exceptions. Organisations may have already performed the Criticalities analysis for CNI.
This selection of CAF profile should be determined in the first instance by the service and system owner and include consideration to the GovAssure Scoping Document as follows:
- Review the context of the organisation itself based on the information identified as part of the scoping exercise and included within the GovAssure Scoping Document (Stage 1 – Part A: Organisational Mission, Objectives and Priorities)
- Determining how significant to the delivery of the overall mission the critical system is
- Think about whether the critical system has characteristics that differentiate it from other systems and may increase the threat profile, making the critical system an even more attractive target for attackers (when compared to other critical systems that would typically fall in under the Baseline profile).
- Consider the risk appetite around adversary activity in the system and how far your operations could tolerate it.
Deciding when to apply the Enhanced Profile
Given the diversity of systems within government, a guide has been produced which should not be considered exhaustive, but provides a roadmap to determining where the Enhanced profile may be appropriate. Examples of factors are shown on the next page.
Ultimately, the risk owner for the business output and the CISO (or equivalent role) should take a view on their risk tolerance to compromise in the system and whether it justifies the more comprehensive controls under the Enhanced profile.
Step 1. Use the Scoping document to identify critical systems
Step 2. Check, has your organisation performed the CNI Criticalities process?
Step 3a. If yes to 2. All Systems declared government CNI are in scope. Other systems reviewed under the process may still be candidates for the enhanced profile and should be considered on their merits and dependencies in this process
Step 3b. If no to 2. the organisation should separately be priorities completing a criticalities process and this should be flagged internally.
Step 4. Systems should be assigned target CAF Profile considering impact, intent and opportunity
Step 5. Considerations:
Consideration 1. Risk Owner ToleranceWhere risks owners have a particularly low tolerance to activities impacting their systems. Examples:
- Loss of service creates risk to life, serious loss of public faith in government, serious economic risk, or impact to national security (system should be flagged with GSG for review with CNI team at this stage before progressing further).
- High availability requirements – the isolation of system or downtime would create serious risk through a lack of redundancy in process, or where backup data and services are a resilience measure of absolute last resort.
Consideration 2. Adversary Intent
- Where specific factors relation to the system make it more of an attractive target for adversaries Examples:System contains highly desirable data which will justify more persistent attempts for access:
- Large PII data sets, any data set with visible sensitive identity data (vulnerable or protected individuals)
- Information relating to national security matters
- High value or important sovereign intellectual property (for example S+T, defence, nuclear, finance, national economy)
- Intent is evidenced by previous attacks or identified persistent attempts to access (over and above e.g. routine external scanning).
Consideration 3. Heightened exposure threat
Where there is an opportunity for deliberate or opportunities adversary activities,or where exposure increases likelihood of harm through unintended consequences from wider activity. Examples:
- System has levels of exposure which make it harder to mitigate access opportunities
- Infrastructure operates in more permissive international geographic areas, particularly those where UK presence may be targeted
- Infrastructure has exposure through mixed physical access (for example, infrastructure in areas with public access, or a large publicly interactive threat surface which cannot be segregated from onward networked access to valuable or high-risk assets).
Step 6. CISO (Or Equivalent) takes a view of all the systems in scope to determine any cases where the organisation may plan to assign the Enhanced profile
Step 7. Discuss and agree final profile allocation with GSG
An internal consultation should take place between a combination of service and systems owners in the first instance. The justification for considering applying the Enhanced profile should be documented in the GovAssure Scoping Document. The CISO or equivalent should provide independent challenge as to the holistic critical system landscape and whether they agree with the potential assignment of the Enhanced profile, and take a view across all the systems in scope.
Where an organisation comes to this conclusion (excluding CNI systems), they should consult with GSG to determine the factors leading to this decision. Any application will be based on the conditions of the specific system and relevant level of threat.
Documenting the results in the GovAssure Scoping Document
You should document the result of in the GovAssure Scoping Document, Stage 2 – Part B.
Outcomes
- As an organisation you have:Completed the GovAssure Scoping Document for the organisation – Stage 2 – Part A and Part B and developed an in-depth view of Critical Systems, their components and dependencies.
- Allocated a target CAF profile for them to be assessed against as part of the Stage 3 CAF self-assessment.
- A clear articulation of the intended scope for GovAssure to discuss and agree with GSG.
- A clear articulation of the intended scope for the CAF self-assessment, so that you’re in a position to plan ahead for the independent assurance review and help to begin commercial engagement.
- The ability to articulate Lenses 3-5 of the Five Lens model (for your in-scope systems).An agreed methodology for understanding the relative importance/prioritisation of the Critical Systems you’ve shortlisted for scoping consideration.
- Agreement of the GovAssure Scoping Document by the GovAssure senior responsibility officer (SRO).
- Issued wider communications regarding GovAssure within the organisation to help drive support and engagement, particularly among system owners.
Output
Stage 2 of the scoping document should contain the details of all the critical systems within scope for the GovAssure assessment, and each system within scope should be assigned to the baseline or enhanced CAF profile.
The scoping document should now be complete, and the organisation can proceed to the CAF self-assessment (stage 3)