Cyber incidents can result in catastrophic consequences. Cyber risks faced by public sector organisations need a plan. NCSC developed the cyber assessment framework (CAF) to help organisations achieve and demonstrate cyber resilience, specifically in, specifically by identifying the important functions at risk of disruption due to cyber incidents.
It’s based on simple principles to systematically manage security risks, identify vulnerabilities, refine existing security measures, and implement security controls as part of a comprehensive cybersecurity strategy.
The reliability and security of organisations responsible for the supply of water, oil, gas, power, and healthcare are critical for public safety. History provides evidence of some of the notorious attacks that have nationwide consequences, including the WannaCry ransomware attack, Ukraine’s electricity network, the US colonial pipeline, and local governments (councils).
This post looks at the CAF, its 14 principles, and how they apply to different industries that manage cyber risks.
Key Points
- The Cyber Assessment Framework (CAF) is a comprehensive and flexible guide from the NCSC, the UK’s technical authority. Its four key objectives help organisations manage cyber risks and improve their cyber resilience: managing security risk, protecting against cyber attacks, detecting cyber events, and minimising cyber incidents.
- The CAF security framework is sector-agnostic and flexible. It provides a baseline and guidance for reference and is an outcome-focused approach to compliance. The framework provides specific Indicators of Good Practice (IGPs) to measure existing security controls and adapt them to different industries, their unique risks, and regulatory requirements.
- Organisations should periodically self-assess using the CAF or engage external entities to gain visibility into their cybersecurity, identify areas for improvement as an improvement roadmap and align their security with the framework principles over time.
What is the Cyber Assessment Framework
The NCSC’s CAF is not a checklist or a set of rules; it’s a high-level framework developed by NCSC cybersecurity experts to help organisations responsible for managing cyber risks and improving their security posture. It provides organisations of all sizes with a systematic and holistic approach to assessing and improving their cybersecurity.
Understanding the CAF is key as it gives organisations the knowledge to prevent, respond to and recover from cyber incidents.
The NCSC has created NCSC CAF resources to help organisations comply with the NIS regulations, but these resources go beyond the essential services (OES) defined in the NIS regulations. They use broader terms like “essential function” to cover other important activities and may apply to organisations not directly subject to cyber regulation. If you’re an OES, contact your CA for guidance on using the CAF collection in your sector. NCSC has no role in NIS regulations but can assist with understanding compliance requirements.
Purpose of the Cyber Assessment Framework from the National Cyber Security Centre
NCSC has designed the CAF to discourage assessments conducted as “tick box” exercises. It is an outcome-focused approach to NCSC guidance. This is a big change from traditional approaches, which are often compliance-focused rather than effective. The CAF’s outcome-based approach makes organisations prioritise the effectiveness of existing security controls over having specific controls in place.
One of the CAF’s strengths is its flexibility. CAF is going to be popular amongst regulators.
The framework can be tailored to different industries, and sector-specific elements can be added when needed. This includes:
- public sector supporting core government functions
- Critical National Infrastructure (CNI) organisations
- organisations subject to NIS regulatory requirements
- organisations managing cyber risks to public safety, such as digital service providers (DSPs), operators of essential services (OES)
- can be used by other organisations, also
14 Principles and Guidance of the NCSC CAF Framework
At the core of the NCSC CAF are the four main objectives which are made up of 14 principles. Each of the four objectives and 14 outcomes are supported by 39 contributing outcomes.
These four security objectives are:
- Manage security risks
- Prevent cyber attacks
- Detect cybersecurity events
- Minimise impact of cybersecurity incidents
These objectives are the foundation of the CAF and a holistic approach to cybersecurity.
Each objective has a set of principles that guide organisations towards the desired outcomes. These resilience principles help organisations strengthen their security controls, risk management processes and incident response capabilities. Achieving these objectives means organisations are equipped to deal with the ever-changing cyber threat landscape.
Objective A: Manage Security Risks
Appropriate organisational structures, policies and processes must be in place to follow a systematic and comprehensive approach with long-term resilience in mind.
A1: Governance
Governance emphasises establishing clear management structures and processes for network and information system security. Senior management should define acceptable risk levels and assign clear accountability for security decisions. Effective governance integrates with existing business decision-making processes and empowers staff at all levels to manage risks based on their expertise. Standardised risk management frameworks like ISO 27001 can help organisations achieve good cyber security governance by providing a structured approach for identifying, assessing, and treating cyber risks.
A2: Risk
Risk management means identifying, assessing, and understanding security risks and establishing an overall organisational approach to managing those risks. Recognised risk methods and frameworks provide a solid foundation for this. Organisations can gain confidence in their cybersecurity posture through assurance activities such as penetration testing, cloud security assessments, and physical risk assessments.
A3: Asset
Asset Management focuses on understanding everything critical for essential functions. This includes not just IT systems and data but also physical assets like power and cooling, essential staff, and even dependencies on external suppliers. Effective asset management requires a comprehensive inventory of all these elements, kept up-to-date throughout their lifecycle. For organisations using frameworks like ISO 27001 or ITIL, asset management is a key component but may require additional focus on critical assets compared to the standard’s minimum requirements.
A4: Supply Chain
Dependencies on external suppliers present risks to an organisation that must be managed by your security team. A few considerations for supply chain security are:
- Data Protection: Data shared with third parties is protected from unauthorised access, modification or deletion as per Principle B3 of the CAF.
- Product/Service Security Specifications: Defining security requirements for procured products or services that match the security requirements of essential functions.
- Vulnerability Management: Preventing unmanaged vulnerabilities through network connections or data sharing with suppliers.
- Supplier Trust: Getting confidence in the supplier’s ability to resist attacks that could compromise essential functions.
Objective B: Prevent Cyber Attacks
Objective B of the CAF is key to ensuring robust security defences and network security, securing networks and information systems that support an organisation’s functions from cyber threats. It means proportionate security measures are in place and aligned to the organisational structure. The following sections cover all the indicators and guidance:
B1: Service Protection Policies and Procedures
Service Protection Policies, Processes and Procedures highlights the need for well-defined and communicated security policies to protect essential functions. These policies should be more than just documentation; they must be effectively implemented and enforced, taking into account how people actually work. This ensures they are followed and contributes to real security improvements.
Effective policies should be tailored to different audiences (e.g., IT staff and senior management) and integrate with the organisation’s overall governance and risk management approach. They should also be regularly reviewed and updated to reflect the evolving threat landscape and lessons from security incidents, ensuring continuous improvement in protecting essential functions.
B2: Identity and Access Control
Identity and Access Control focuses on managing access to networks and information systems supporting essential functions. Organisations must clearly understand, document, and control who (or what, in the case of automated functions) can interact with these systems and access sensitive data. Access rights should be carefully controlled, especially those impacting essential functions, and promptly revoked when no longer needed. Users, devices, and systems should be verified, authenticated, and authorised before accessing data or services, with stronger authentication methods like multi-factor authentication considered for privileged access. Unauthorised access should be prevented at all points within the system, including online services and compromised devices. Physical security measures should also be in place to protect against unauthorised access, tampering, or data deletion.
B3: Data security
Data Security focuses on protecting essential function data from unauthorized access, modification, or deletion. This applies to data at rest (stored) and in transit, where data encryption plays a crucial role. Protection measures should align with the data’s criticality. For example, sensitive data might require encryption or offline backups to ensure confidentiality and availability while protecting network infrastructure or using cryptography safeguards data in transit. Additionally, information aiding attackers, like system design details, needs to be identified and secured.
B4: System security
System Security focuses on safeguarding critical network and information systems from cyberattacks. Organisations must understand potential risks to their essential functions and implement proportionate security measures to minimise attacker opportunities. This involves considering software flaws, system features, and user error vulnerabilities. Protective measures should be proportionate to the risk, focusing on areas like system design, configuration management, system management practices, and vulnerability management.
Key aspects include adopting a “secure by design” approach, using baseline configurations and maintaining records of known good states, implementing robust access controls and physical security, and proactively managing vulnerabilities through patching, data segregation, and malware detection. By implementing these measures, organisations can significantly bolster the security of their essential systems and reduce the likelihood of successful attacks.
B5: Resilient Networks and Systems
Resilient Networks and Systems emphasises building resilience into all stages – design, implementation, operation, and management. This goes beyond just protecting technology; it ensures critical functions can continue even if systems fail or are compromised. This may involve backup plans, manual processes, and ensuring devices used for system administration are well protected against common attack methods like spear phishing.
B6: Staff Awareness and Training
Staff Awareness and Training recognise that people are crucial to an organisation’s security. It emphasises providing staff with the appropriate knowledge and skills to support the security of essential functions. Effective security training programmes should be tailored to how people actually work with systems and promote a positive security culture where staff understand their responsibilities and actively contribute to security.
This involves using various training methods, from online courses to simulated attacks, and fostering open communication about security practices. Senior management support for a long-term security vision is essential for building this culture. By empowering staff with the right knowledge and fostering a proactive security mindset, organisations can significantly enhance their overall cyber resilience.
Objective C: Detect Cyber Security Events
C1: Monitoring
The very basic premise of handling security incidents is having the capability to know about the unusual network activity taking place in your environment. Continuous monitoring of your systems, devices, and networks forms the first line of defence.
Data Collection
Organisations must collect and analyse different types of data to detect data security issues:
- Web Traffic: Your security devices can monitor and reveal suspicious patterns based on the Internet traffic entering and exiting your environment.
- Email Traffic: Keeping an eye on email metadata such as the server’s reputation, senders and recipients can detect phishing attempts. In some cases, content analysis or in-depth analysis may be required.
- Network Connections: Recording incoming and outgoing network connections, especially those that are out of the norm, is critical.
- Internal Activity: Monitoring user activity on devices and servers can detect deviations from normal behaviour.
Log Analysis
Log files are a goldmine of information and must be used:
- Threat Identification: Organisations can quickly identify known attackers by comparing logs against databases of known threats, e.g. malware signatures.
- Tool Utilisation: Advanced tools are used to correlate and analyse log data to make threat detection more efficient.
- Staff Training: Ensure staff are trained to use these analytical tools.
Threat Intelligence
To stay ahead of threats, gather and use intelligence:
- Information Gathering: Collect threat information from various sources, e.g. online forums, subscription services or internal incident reports.
- Quality Focus: Focus on relevance and accuracy of threat intelligence to avoid wasting resources on false positives.
- Integration: Feed threat intelligence into your analysis tools.
Monitoring Team
A dedicated team or digital service provider is required for monitoring:
- Expertise: Assemble a team with networking, security and operational knowledge specific to your business.
- Investigation and Management: Roles for investigating suspicious activity and decision makers to evaluate potential threats.
- Collaboration: Close coordination with the incident response team for threat management.
Flexibility
The threat landscape changes, and so should your monitoring strategies:
- Strategy Evolution: Update your monitoring approach as your business environment and threats change.
- Tool Flexibility: Choose tools that can handle new types of data and can be tweaked over time.
- System Design: Design new systems with logging in mind for future monitoring needs.
C2: Proactive Security Event Discovery
Proactive Security Event Discovery, principle C2 goes beyond traditional security measures like anti-virus software to uncover hidden threats. This principle means looking at unusual network traffic, user behaviour anomalies, event analysis, and system irregularities for signs of compromise.
Proactive Detection Essentials
- Indirect Threat Indicators: Not all threats show clear signs, so indirect indicators like unusual activity are important.
- Event Analysis: Proactive detection relies on examining multiple events and understanding attacker methodology.
- Strategic Prioritisation: This advanced detection should come after basic monitoring is in place.
- System Design Considerations: Systems should be designed to support proactive threat discovery.
Proactive Detection Challenges
- Complexity: This is more complex than basic monitoring.
- Expertise: Requires network behaviour analysis and threat intelligence expertise.
- Tool Selection: Tools for this will be expensive and have high false positive rates.
C2 advocates for active, forward looking security to detect and counteract threats that could impact business critical functions.
D: Minimise the Impact of Cyber Security Incidents
The fourth and final objective of the CAF D is to minimise the business impact of a cyber security incident. This is done by detecting cyber security events, incident response, response and recovery planning (D1) and learning from cyber security incidents to improve resilience (D2).
D1: Response and Recovery Planning
Organisations must have a plan for incidents that could impact other business critical functions. This means:
- Risk Assessment: This exercise is used to identify threats and vulnerabilities to business-critical functions.
- Response Plans: Develop plans for responding to different types of incidents, including malware, DoS attacks, and insider threats.
- Response Team: A team consisting of various roles and responsibilities including but not limited to IT security, business continuity and comms experts.
- Testing: Regular exercises and simulations to test the plan.
Physical resilience measures like contingency plans for critical systems and disaster recovery processes are also important.
D2: Lessons Learned
When an incident occurs, an organisation must understand its root causes and take appropriate remediation actions. The key aspects of Principle D2 Lessons Learned are:
- Root Cause Analysis: Post an incident or exercise, a root cause analysis should identify the underlying causes and any factors hindering effective recovery.
- Post-Incident Review and Reporting: Your organisation should have procedures and templates to enable incident teams to produce detailed reports documenting incident response and exercises. This includes analysing information sharing, governance processes, roles, responsibilities, and training.
- Risk Reduction and Improvement: Lessons learned should inform improvements to various aspects of cybersecurity, including system configuration, monitoring, investigation procedures, containment/recovery strategies, and incident management governance. These lessons should be shared with relevant internal and external stakeholders, such as regulators, competent authorities, and the NCSC.
- Data Retention: An effective post-incident analysis requires sufficient historical data possible by ensuring data retention policies that consider the effectiveness of their monitoring capabilities, past incident experience, and threat intelligence. This ensures that even incidents detected months after occurrence can be thoroughly investigated.
Indicators of Good Practice (IGPs)
In addition to the four objectives, the Cyber Assessment Framework (CAF) includes a series of structured sets of indicators of good practice (IGPs) that contribute outcomes that offer additional details to an organisation that fully achieves the overall principles. These are achieved or not achieved based on the three output values, i.e., the organisation has achieved the outcome, not achieved, and the organisation partially achieving the outcome.
Organisations fully achieving the outcome are defined in the ‘achieved’ column.
Partially achieved is considered with analysis and valuation of gaps to identify the need that acts asan improvement roadmap.
The indicators in CAF IGP are intended to help inform expert judgement. They are not a checklist to be used in an inflexible assessment process.
These IGPs are not an exhaustive list, IGPs provide the organisation with indicators of contributing outcomes (i.e. not achieved, partially achieved or achieved) to help assess if an organisation meets the contributing outcome for each principle.
IGPs are designed to be flexible and adaptable so organisations can base their decisions on purpose, scope and applicability. Using IGPs flexibly allows organisations to build a solid foundation for assessments and align with the framework’s flexibility.
Secure code is an essential element for business growth
Show your customers and supply chain you can manage application risks with secure coding practices.
IGPs
IGPs are used in assessments to evaluate an organisation’s cybersecurity. This helps to make informed decisions about improving an organisation’s cyber resilience.
The use of IGPs is critical to building a solid foundation for assessments and aligning with the CAF framework. The IGP table defines a set of indicators (typical characteristics to fully achieve the outcomes) to help assess if an organisation’s good practice is meeting the contributing outcomes for each principle. An IGP table defines the status in the columns and does not provide an exhaustive list covering a checklist an assessor needs to consider, but more like a guidance.
Sector-specific IGPs
The flexibility and adaptability of the Cyber Assessment Framework are most evident in how each IGP table can be sectorised. The framework recognises that different industries have different risks, requirements and regulatory landscapes and allows for:
- sector-specific CAF profile
- sector-specific interpretation of contributing outcomes and IGPs
- additional contributing outcomes and IGPs specific to the sector.
Sectorising IGPs to the CAF profile means customising the framework to account for the different industry sectors’ unique risks, requirements and regulatory landscapes. It can serve either as an expected baseline or an objective to reach in the future with an improvement roadmap. This ensures the Cyber Assessment Framework remains a practical and effective sector-agnostic tool for improving cyber security, whatever the risks and context.
How to use the NCSC Cyber Assessment Framework?
Once organisations understand the CAF and its parts, the next step is to implement the framework. This means self-assessing or engaging external entities to assess the organisation’s cyber security and identify improvement areas.
Two main approaches drive change: rigid rules or guiding principles.
- Rules-Based: This uses detailed rules to dictate actions. While effective when followed, creating comprehensive rules for complex areas like cybersecurity is challenging and can lead to unintended consequences and wasted resources.
- Principles-Based: This uses general principles to guide decisions, offering greater flexibility. The NCSC favours this approach for improving cybersecurity and resilience, aligning with the UK’s outcome-focused regulations prioritising achieving goals over simply following procedures.
The CAF principles outline high-level outcomes defining good cybersecurity and resilience for organisations with essential functions. Each principle includes explanatory details and supporting guidance to help organizations understand its importance and address common challenges. The principles aren’t meant as an exhaustive checklist, as organizations are best positioned to determine how to achieve the desired outcomes.
The NCSC intends organisations to use in the following way:
- Understanding the principles and their importance
- Interpreting them for their context
- Comparing current practices against the guidance
- Identifying and prioritising shortcomings
- Implementing remediation
Self Assessment with the CAF
Self-assessment with the cyber assessment framework allows organisations to measure their cyber security. Assessing with the framework gives organisations a broad view of their cyber security and security posture, identifying improvement areas and what they are doing well and not so well.
Self-assessment with the CAF also helps organisations to:
- make informed decisions to improve their resilience
- evaluate their cyber security through the framework
- identify areas to improve
- prioritise to improve cyber security
External Entities for Assessments
While self-assessment is useful, engaging external entities and competent authorities, such as competent authorities for assessments, can bring additional insight and expertise. External entities can bring a fresh view and may identify risks or vulnerabilities that are not visible or relevant to those within the organisation.
Organisations can engage external entities such as Cyphere who are known for their cyber security expertise in capability building, maturity assessments and technical risk advisory services. Organisations can get a full and comprehensive assessment of their cyber security posture by leveraging external expertise.
Conclusion
The Cyber Assessment Framework is a key part of a public sector body’s overall cyber security strategy and requires a dedicated and continuous commitment to the principles and to keep up with the evolving cyber threats.
While the CAF provides a foundation for defence against cyber threats, it is not a one-off solution. It requires ongoing and active cyber security practices. Public sector organisations should use the CAF to the full to protect their systems and improve their cyber resilience.
Cypher offer free consultations to help you align your security to the CAF principles so your defences are as strong as possible.
Cyber attacks are not a matter of if, but when. Be prepared.
Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.
FAQs
What is a cyber security risk assessment?
A cyber assessment is a process for risk evaluation to identify information assets at risk of a cyber-attack and to evaluate the risk to those assets.
What are the benefits of NCSC CAF?
NCSC CAF provides a systematic approach yet flexible approach to assessing cyber risks faced by essential functions of an organisation.
Is there a UK equivalent to NIST?
The UK equivalent of NIST is the National Cyber Security Centre (NCSC), which is the UK’s national technical authority for information assurance on cyber security incidents. They provide cyber security guidance and advice (Intelligence Services Act 1994).
What is the NCSC Cyber Assessment Framework?
The NCSC Cyber Assessment Framework (CAF) is a way for organisations to manage cyber risk for those that deliver critical services and activities.
What are the 4 CAF objectives?
The 4 CAF objectives are cyber security objectives, security risk, defence against cyber attacks, detection of cyber events and minimisation of cyber incidents. These 4 objectives inform the organisation’s cyber security.
