Cyber Assessment Framework
Page 3 of 25
Introduction to the Cyber Assessment Framework
The CAF – a tool for assessing cyber resilience
The NCSC Cyber Assessment Framework (CAF) provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible. CAF-based assessments can be carried out either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator / cyber oversight body or a suitably qualified organisation acting on behalf of a regulator, such as an NCSC assured commercial service provider.
The NCSC CAF cyber security and resilience objectives and principles provide the foundations of the CAF. The 4 high-level objectives and the 14 principles laid out within this collection are written in terms of outcomes, i.e. specification of what needs to be achieved rather than a checklist of what needs to be done. The CAF adds additional levels of detail to the top-level principles, including a collection of structured sets of Indicators of Good Practice (IGPs) as described in more detail below.
Note
The NCSC developed the CAF in its role as national technical authority for cyber security, with an expectation that it would be used, amongst other things, as a tool to support effective cyber regulation. The NCSC itself has no regulatory responsibilities, and organisations subject to cyber regulation should consult with their regulators to learn whether they should use the CAF in the context of meeting regulatory requirements.
CAF requirements
The CAF has been developed to meet the following set of requirements:
- 1
provide a suitable framework to assist in carrying out cyber resilience assessments
- 2
maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises
- 3
be compatible with the use of appropriate existing cyber security guidance and standards
- 4
enable the identification of effective cyber security and resilience improvement activities
- 5
exist in a common core version which is sector-agnostic
- 6
be extensible to accommodate sector-specific elements as may be required
- 7
enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security
- 8
be as straightforward and cost-effective to apply as possible
CAF principles and contributing outcomes
Each top-level NCSC security and resilience principle defines a broad cyber security outcome. The precise approach organisations should adopt to achieve each principle is not specified as this will vary according to organisational circumstances. However, each principle can be broken down into a collection of lower-level contributing cyber security and resilience outcomes, all of which will normally need to be achieved to fully satisfy the top-level principle.
An assessment of the extent to which an organisation is meeting a particular principle is accomplished by assessing all the contributing outcomes for that principle. In order to inform assessments at the level of contributing outcomes:
- 1
each contributing outcome is associated with a set of indicators of good practice (IGPs) and,
- 2
using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved’, ’not achieved’ or (in some cases) ‘partially achieved’ are described.
For each contributing outcome the relevant IGPs have conveniently been arranged into table format. The resulting tables, referred to as IGP tables, constitute the basic building blocks of the CAF. In this way, each principle is associated with several tables of IGPs, one table per contributing outcome.
Using IGPs
Assessment of contributing outcomes is primarily a matter of expert judgement and the IGPs do not remove the requirement for the informed use of cyber security expertise and sector knowledge. IGPs will usually provide good starting points for assessments but should be used flexibly and in conjunction with the NCSC guidance associated with the top-level cyber security and resilience principles. Conclusions about an organisation’s cyber security and resilience should only be drawn after considering additional relevant factors and special circumstances.
The ‘achieved’ (GREEN) column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of ‘achieved’. The exception would be when an IGP may not be applicable if there are compensating measures that would meet the requirements of the relevant objective.
The ‘not achieved’ (RED) column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of ‘not achieved’.
When present, the ‘partially achieved’ (AMBER) column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security and resilience benefits. An assessment of ‘partially achieved’ should represent more than giving credit for doing something vaguely relevant.
The following table summarises the key points relating to the purpose and nature of IGPs:
| IGPs are... | IGPs are not... | |
| Purpose | ...intended to help inform expert judgement. | ...a checklist to be used in an inflexible assessment process. |
| Scope | ...important examples of what an assessor will normally need to consider, which may need to be supplemented in some cases. | ...an exhaustive list covering everything an assessor needs to consider |
| Applicability | ...designed to be widely applicable across different organisations, but applicability needs to be established. | ...guaranteed to apply verbatim to all organisations. |
Setting target levels of cyber security and resilience
The result of applying the CAF is 41 individual assessments, each one derived from making a judgement on the extent to which a set of IGPs reflects the circumstances of the organisation being assessed. The CAF has been designed in such a way that a result in which all 41 contributing outcomes were assessed as ‘achieved’ would indicate a level of cyber security some way beyond the bare minimum ‘basic cyber hygiene’ level.
A cyber oversight body will need to set target levels of cyber resilience for organisations within their sector. One way of setting these target levels is in relation to the ability to withstand specified categories of cyber attacks (e.g. resilience to basic capability attacks, moderate capability attacks etc.) and the CAF has been designed to support this approach via the idea of CAF profiles.
The NCSC has worked with regulators and other organisations with a cyber resilience oversight role on an approach to interpreting CAF output based on identifying those contributing outcomes considered most important to achieve in order to manage security risks to that organisation’s essential functions. Those prioritised contributing outcomes would correspond to an initial view of appropriate and proportionate cyber security for that organisation. The subset of contributing outcomes identified as the most important in this way would represent an example of a CAF profile – something that could be used as the basis for setting a target for organisations to achieve.
In practice a CAF profile consists of a mixture of some contributing outcomes to be met at ‘achieved’, some at ‘partially achieved’ and perhaps some (representing cyber security capabilities not appropriate at the level of the profile) identified as ‘not applicable’.
It is not the responsibility of the NCSC to mandate what represents appropriate and proportionate cyber security and resilience. Any target set for organisations to achieve in terms of CAF results is for the relevant cyber oversight body to define.
Making the CAF sector specific
The common core of the CAF (consisting of objectives, principles, contributing outcomes and indicators of good practice) is sector agnostic in the sense that it is designed to be generally applicable to all organisations responsible for essential functions across all key sectors. It is possible that there will be a need for some sector specific aspects of the CAF, which could include the following:
- 1
Sector-specific CAF profiles
Some target profiles may well be sector specific. As mentioned in the section on setting target levels, it will be a decision for the relevant cyber oversight body to put an interpretation on CAF results, which may be from a regulatory perspective.
- 2
Sector-specific interpretations of contributing outcomes/IGPs
It may be necessary in some cases for a sector-specific interpretation of contributing outcomes and/or IGPs to better clarify meaning within the sector.
- 3
Sector-specific additional contributing outcomes/IGPs
There may be circumstances in which sector-specific cyber security requirements cannot be adequately covered by an interpretation of a generic contributing outcome or IGP. In these cases, an additional sector-specific contributing outcome or IGP may need to be defined.
The NCSC will continue to work with the full range of CAF stakeholders to determine if sector-specific aspects of the CAF are required, and to assist in considering and introducing changes as necessary.
