In an increasingly interconnected world where cyber threats are growing in frequency and sophistication, governments and organisations are recognising the critical importance of securing their digital infrastructure and sensitive data.
It is for these reasons that the NCSC has developed the Cyber Assessment Framework (CAF) collection which is intended for use by any organisation that is responsible for the services and activities that are of vital importance to us all.
As stated in the National Cyber Strategy, the CAF has been introduced as part of a programme aimed at improving the governments cyber security. Outside of the government, the organisations likely to find the CAF collection useful fall into three broad categories:
- Organisations within the UK Critical National Infrastructure (CNI),
- Organisations subject to Network and Information Systems (NIS) Regulations,
- Organisations managing cyber-related risks to public safety such as Control of Major Accident Hazards (COMAH).
Not all organisations need to fit into the above brackets to align to the CAF, however the framework was created to align with these organisation types.
Though the CAF Framework was created to align with the missions of these described, many other organisations may benefit from adhering to the cyber assessment framework.
What is the Cyber Assessment Framework?
The Cyber Assessment Framework, commonly referred to as CAF, is a comprehensive set of guidelines, practices, and tools designed to evaluate and enhance the cybersecurity capabilities of government organisations.
It provides a structured approach for assessing an organisation’s cybersecurity posture, identifying vulnerabilities, and implementing appropriate mitigation measures.
The CAF collection consists of a set of 14 cyber security & resilience principles, together with guidance on using and applying the principles and the CAF itself. It aims to help organisations achieves and demonstrate an appropriate level of cyber resilience in relation to certain specified essential functions performed by that organisation.
Specified Essential Functions
Used to distinguish the CAF collection from a set of generic good cyber security practices.
Users of the CAF will typically be responsible for the correct operation of one or more important organisational functions, the compromise or failure of which would lead to unacceptable consequences.
The specified essential functions drive consideration for in scope network and information systems. In recognition of this, the CAF collection has been designed to be equally applicable to both Information Technology (IT) and Operational Technology (OT).
This is in contrast to general good cyber security practices, which are usually assumed to be applicable across the entirety of an organisation’s IT estate and are not usually designed to encompass OT.
Referring to an organisation’s ability to maintain the correct operation of its essential functions even in the presence of adverse cyber events.
This term emphasise that the CAF collection is intended for use where there are some pre-determined unacceptable consequences. The purpose of following CAF requirements is to manage the risk of those unacceptable consequences as a result of a cyber-attack.
Achieve and Demonstrate
The CAF collection provides a framework specifically designed to be used by external entities to generate such understanding. Written in terms of outcomes to be achieved rather than a compliance checklist.
There will often be a number of different ways of achieving the specified CAF outcomes, which could cause uncertainty regarding the extent to which an organisation has successfully put in place an appropriate level of cyber resilience. However, the inclusion of Indicators of Good Practice in the CAF provides a guide to the kind of measures that would normally be present in an organisation that was achieving CAF outcomes.
The Outcome-based Approach
While recognising the risk of over-simplifying a complex subject, there are two basic approaches available when aiming to drive change towards a recognised desirable end-state.
The First Approach
Creating a set of prescriptive rules that, will result in achieving the desirable end-state.
The Second Approach
Defining a set of principles that, if consistently used to guide decision-making, will collectively result in the desirable end-state.
The NCSC view the principles-based approach (the second approach) as a more effective way of driving improvements to cyber security and is consistent with the majority of goal-based regulations in the UK.
The NCSC intends the principles and guidance to be used in the following way by organisations performing essential functions:
- Understand the principles and why they are important. Interpret the principles for the organisation.
- Compare the outcomes described in the principles to the organisation’s current practices. Use the guidance to inform the comparison.
- Identify shortcomings. Understand the seriousness of shortcomings using organisational context and prioritise.
- Implement prioritised remediation. Use the guidance to inform remediation activities.
The CAF Principles
A – Managing Security Risk
Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions.
A1 – Governance
A2 – Risk Management
A3 – Asset Management
A4 – Supply Chain
B – Protecting Against Cyber Attack
Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber-attack.
B1 – Service protection policies and processes
B2 – Identity and access control
B3 – Data Security
B4 – System security
B5 – Resilient networks and systems
B6 – Staff awareness and training
C – Detecting Cyber Security Events
Capabilities exist to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions.
C1 – Security monitoring
C2 – Proactive security event discovery
D – Minimising the Impact of Cyber Security Incidents
Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including the restoration of those functions where necessary.
D1 – Response and recovery planning
D2 – Lessons learned
What is the Significance of CAF?
1. Standardisation and Consistency: The CAF serves as a benchmark for evaluating cybersecurity practices across government entities. By providing a standardised framework, it ensures consistency and coherence in cybersecurity assessments, allowing for effective comparison and sharing of best practices.
2. Risk Identification and Mitigation: The CAF assists in identifying and assessing potential risks and vulnerabilities in government systems and networks. It enables organisations to prioritise and address critical risks, minimising the potential impact of cyber threats and attacks.
3. Compliance and Regulation: The CAF often aligns with legal and regulatory requirements specific to the government sector. It helps organisations meet compliance obligations, demonstrate due diligence, and maintain a robust security posture in line with applicable laws and regulations.
4. Resource Optimisation: Through the CAF, government entities can allocate resources effectively by focusing on areas of high vulnerability and critical infrastructure. By identifying and prioritising risks, they can allocate resources efficiently to mitigate threats and enhance overall cybersecurity resilience.
The magnitude, frequency and impact of network and information system security incidents is increasing. Historical events such as the 2015 attack on Ukraine’s electricity network and the 2017 WannaCry ransomware attack, together with more recent events such as the US Colonial Pipeline and Israeli water infrastructure attacks clearly highlight the impact that these incidents can have. This highlighted a need to improve the security of network and information systems across the UK, with a particular focus on essential functions, which, if compromised, could potentially cause significant damage to the economy, society, the environment, and individuals’ welfare, including loss of life.