What is the Cyber Assessment Framework?

What is the CAF?

The Cyber Assessment Framework (CAF) is a systematic and comprehensive methodology developed by the UK's National Cyber Security Centre (NCSC) for assessing the extent to which cyber risks to essential functions are being managed by organisations. It provides a structured approach to evaluating cyber resilience through a collection of security principles, contributing outcomes, and indicators of good practice.

Rather than prescribing specific technical controls, the CAF looks at what good security actually achieves. This means your organisation can choose security measures that make sense for your specific situation and the risks you face.

Origins and Purpose

The NCSC originally developed the CAF in 2018 to support the UK's implementation of the European Union's Network and Information Systems (NIS) Directive, which aimed to improve the security of network and information systems across the EU. The framework was designed to help regulators (called Competent Authorities) assess whether operators of essential services were meeting their obligations under the NIS regulations.

Since then, the CAF has evolved beyond its regulatory origins to become widely adopted as a general-purpose tool for cyber resilience assessment across various sectors, including critical national infrastructure, government departments, and organisations managing cyber-related risks to public safety.

Common Misconceptions About the CAF

Before delving deeper into the CAF, it is important to address some common misconceptions:

• The CAF is not a tick-box exercise: While the CAF includes detailed indicators of good practice, it's designed to promote outcome-focused security rather than compliance-driven approaches. The NCSC explicitly discourages treating it as a simple checklist.
• The CAF is not one-size-fits-all: Through the use of profiles, the CAF recognises that different organisations face different threats and have different risk appetites.
• Achieving all outcomes at the highest level is not the goal: The CAF promotes proportionality - implementing security measures appropriate to your organisation's risk profile rather than pursuing the highest rating across all outcomes regardless of context.
• The CAF does not replace expert judgement: The framework supports but does not substitute for cyber security expertise and contextual understanding of an organisation's environment.

The CAF Explained

The Cyber Assessment Framework is structured around four interconnected security objectives, each supported by specific principles that define good cyber security outcomes. This architecture allows organisations to systematically evaluate and improve their cyber resilience across all critical aspects of security.

The four objectives provide a comprehensive view of cyber security:

• Objective A: Establishes the foundations through risk management and governance
• Objective B: Focuses on implementing protective measures
• Objective C: Ensures threats are detected
• Objective D: Addresses incident response capabilities

These objectives work together as a cohesive system rather than isolated components. It is important to understand that the objectives are interdependent. For example, having robust governance and risk management processes (Objective A) is a prerequisite for effectively implementing protective measures (Objective B).

From an assessment perspective, Objectives A and D typically operate at an organisational level, meaning that assessments of these areas often apply across multiple systems. In contrast, Objectives B and C are generally system-specific, requiring separate assessments for each critical system.

Contributing Outcomes

Contributing outcomes form the essential building blocks of the Cyber Assessment Framework, serving as the practical benchmarks against which an organisation's cyber security posture is evaluated. The CAF comprises thirty-nine contributing outcomes distributed across the four main objectives and fourteen principles, providing a comprehensive assessment structure.

Each contributing outcome represents a specific security requirement that, when fulfilled, helps an organisation achieve the broader security principle it supports. For instance, within the 'B3: Data Security' principle, the contributing outcome of 'understanding data' focuses on an organisation's knowledge of what data it holds, where it resides, and its sensitivity.

Indicators of Good Practice (IGPs)

Indicators of Good Practice (IGPs) represent the most granular level of the Cyber Assessment Framework, providing detailed examples of what good security practices look like for each contributing outcome. These indicators serve as practical benchmarks that help organisations understand what is required to meet a particular security outcome.

For each contributing outcome, the IGPs are organised into three distinct categories:

• Not Achieved: Indicators that describe security practices or conditions demonstrating failure to meet the outcome.
• Partially Achieved: Indicators representing security measures that deliver genuine security benefits but fall short of full implementation.
• Achieved: Indicators describing the comprehensive implementation of security measures that fully satisfy the contributing outcome.

Through the GovAssure process, organisations are required to make thirty-nine individual self-assessed judgements against contributing outcomes, providing statements and evidence to support their judgements.

CAF Profiles

CAF Profiles represent a tailored approach to implementing the Cyber Assessment Framework, recognising that organisations face different threat levels and operate within distinct risk contexts. These profiles define specific target states for each contributing outcome, establishing clear expectations for what constitutes appropriate security for a particular organisation or system.

For government organisations under the GovAssure programme, two distinct profiles have been established:

• The Baseline Profile: Establishes the minimum security standard expected for all government organisations. It represents a foundational level of cyber resilience suitable for systems facing standard threat levels.
• The Enhanced Profile: Designed for systems and organisations facing elevated threat levels. This includes entities responsible for Critical National Infrastructure (CNI), those handling significant volumes of Personally Identifiable Information (PII), organisations with geographically distributed operations, and those with national security functions.

These profiles were developed using a threat-informed approach, analysing likely attack vectors against government organisations through the lens of the MITRE ATT&CK framework and identifying the specific indicators of good practice that would most effectively mitigate these attacks.

The Assessment Process

Understanding how CAF assessments are conducted is vital for organisations preparing to implement the framework. Assessments can take two primary forms:

• Self-assessment: Organisations evaluate their own security posture against the CAF. This approach allows for internal reflection and ongoing improvement but may lack the objectivity of external review.
• Independent assessment: Conducted either by regulators/competent authorities or qualified third parties through the Cyber Resilience Audit scheme. These provide greater assurance of objectivity.

The NCSC intends the principles and guidance to be used in the following way by organisations performing essential functions:

• Understand the principles and why they are important.
• Interpret the principles for the organisation.
• Compare the outcomes described in the principles to the organisation's current practices using the guidance.
• Identify shortcomings and understand the seriousness of shortcomings using organisational context and prioritise them.
• Implement remediation by addressing prioritised issues using the guidance.

Sector-Specific Applications

While the CAF was designed to be sector-agnostic, different sectors have adapted the framework to address their specific challenges and regulatory requirements. Notable examples include:

• Civil Aviation Authority (CAA): The CAA has developed the CAF for Aviation, which maintains the core structure of the CAF while incorporating aviation-specific requirements and examples.
• Energy Sector (Ofgem): Ofgem has extended the framework by introducing a new Objective E that addresses physical security and non-malicious hazards, recognising the critical nature of energy infrastructure and the interdependence between cyber and physical security. More details can be found in the NIS Supplementary Guidance and CAF Overlay for the Energy Sector.
• Local Government: The Department for Levelling Up, Housing and Communities (DLUHC) continues to refine the Local Government Cyber Assessment Framework (LGCAF), ensuring it effectively addresses the specific cyber security challenges faced by councils.

These sector-specific adaptations demonstrate the CAF's flexibility while maintaining consistency in approach across critical national infrastructure and essential services.

Cyber Resilience Audit Scheme

The Cyber Resilience Audit (CRA) scheme represents a significant enhancement to the Cyber Assessment Framework ecosystem, providing organisations with access to independent, expert validation of their cyber security posture. Also developed by the NCSC, this scheme offers a structured approach to conducting external CAF-based assessments through a network of assured commercial suppliers.

While self-assessment using the CAF provides valuable insights, independent audits conducted under the CRA scheme deliver a higher level of assurance and objectivity. These external reviews help organisations identify blind spots in their security implementations that might be missed through internal assessments alone.

The CRA scheme has been designed with flexibility at its core, enabling it to work effectively across different sectors and regulatory contexts. Cyber oversight bodies, such as sector regulators, can partner with the NCSC to tailor the scheme to their specific requirements.

Additional Resources and Support

Organisations implementing the CAF can access various resources to support their journey:

• NCSC Website: Comprehensive documentation on the CAF, including detailed descriptions of all objectives, principles, and contributing outcomes.
• Cyber Resilience Audit Scheme: Organisations seeking independent validation can engage with assured commercial suppliers through the NCSC's CRA scheme.
• Sector-Specific Guidance: Various sector regulators and competent authorities have published tailored guidance on implementing the CAF within their specific contexts.
• NCSC Guidance Collections: Extensive guidance on implementing security controls that can help organisations achieve CAF outcomes.

Organisations are encouraged to engage with these resources early in their CAF implementation journey to benefit from established best practices and lessons learned.

Looking Forward

The CAF's principles-based approach offers organisations the flexibility to address emerging threats while maintaining focus on essential security outcomes. By adopting this structured yet adaptable framework, organisations can build resilience that both addresses current risks and evolves with the changing threat landscape.

As cyber threats continue to evolve, the CAF itself will likely undergo further refinement and adaptation. Organisations that establish good foundations using the current framework will be well-positioned to adapt to future changes, maintaining effective cyber resilience in an increasingly complex digital environment.

How CNIC Can Help

At CNIC, we understand the complexities of implementing the Cyber Assessment Framework. Our specialised platform streamlines CAF assessments, evidence collection, and reporting, helping organisations of all sizes achieve cyber resilience efficiently.

CNIC provides specialised tools to streamline CAF assessments

Contact us today to learn how we can support your CAF implementation journey.