Understanding and implementing the Cyber Assessment Framework (CAF)

Guest blog by Sakif Zafar, Senior Cyber Security Consultant at Littlefish

The NCSC Cyber Assessment Framework (CAF) was designed to offer a comprehensive and systematic approach for organisations to manage cyber security risk. It was developed by the National Cyber Security Centre to support the implementation of the Network and Information Systems (NIS) Regulations 2018 (which are, themselves, based on the European Union (EU) Directive on Security of Network and Information Systems (NIS Directive) 2016).

The purpose of the CAF was originally to help ensure the reliability and security of network and information systems for essential functions. For example, Critical National Infrastructure (CNI) like electricity, water, oil and gas. However, because it is designed to be flexible and adaptable, the CAF is also a very useful guide for other types of organisations that want to improve their cyber resilience. For example, NHS Digital recently assured all their services against the CAF framework, and GovAssure (the new cyber security assurance approach for government), uses the CAF to assess all systems deemed critical.

The CAF is unique compared to more typical cyber security standards and guidelines because it’s applicable to both Information Technology (IT) and Operational Technology (OT). It was also developed specifically for use by UK organisations and is aligned with UK government cyber security policy.

Compared to other security frameworks, the CAF aligns itself most closely with the NIST cyber security framework whose five domains closely match the four objectives of the CAF. However, the CAF varies crucially in its application in that it has an ‘outcome-based’ assessment rather than focusing on controls.

Intended to be used either by the responsible organisation itself (known as a self-assessment) or by an independent external entity (possibly a regulator or a suitably qualified organisation such as a managed cyber services provider, the CAF defines cyber resilience as “an organisation’s ability to maintain the correct operation of its essential functions, even in the presence of adverse cyber events”. However, it’s important to note that the NCSC developed the CAF in its capacity as a national technical authority on the topic of cyber security and, as such, the NCSC does not have regulatory authority or responsibility when it comes to the implementation and use of the CAF’s objectives and principles. Organisations subject to cyber regulation should therefore consult with their own regulators to ascertain whether using the CAF (or using the CAF solely) complies with their industry’s regulatory requirements.

Cyber Assessment Framework Requirements

The CAF was developed to help organisations manage cyber risk by meeting the following set of requirements*:

To provide a suitable framework to assist in carrying out cyber resilience assessments
To maintain the outcome-focused approach of the NCSC cyber security and resilience principles and discourage assessments being carried out as tick-box exercises
To be compatible with the use of appropriate existing cyber security guidance and standards
To enable the identification of effective cyber security and resilience improvement activities
To exist in a common core version which is sector-agnostic
To be extensible to accommodate sector-specific elements as may be required
To enable the setting of meaningful target security levels for organisations to achieve, possibly reflecting a regulator view of appropriate and proportionate security
To be as straightforward and cost-effective to apply as possible

*This information is taken from NCSC.gov.uk, for source material or to read more, click here.

The CAF’s objectives and principles

Though it may seem complicated at first glance, the CAF is actually neatly divided into four high-level objectives, under which sit fourteen principles. Taking this further, each principle is then divided into contributing outcomes and indicators of good practice (IGPs) which are intended to provide very specific and measurable guidance for organisations to check they are achieving the principles.

The CAF’s layers make more sense if we remember that the guidelines are not designed to act as a prescriptive checklist. Rather, the CAF is a framework which details what good cyber resilience looks like.

With this in mind, let’s take a closer look at the CAF’s four objectives and the principles each requires:

Objective A: managing security risk

Managing security risk focuses on ensuring the security of essential network and information systems. To achieve this, CAF advises that organisations must adopt comprehensive governance, risk management, asset management, and supply chain management strategies (these are the four principles which sit beneath this objective).

To implement these strategies, then, organisations will need to create, roll-out, and update policies and processes that govern security, as well as identify, assess, and manage security risks efficiently. As well as understanding their own systems and essential functions, achieving the CAF’s principles under this objective also involves understanding and managing specific security risks tied to dependence on external suppliers.

Objective B: protecting against cyber-attack

The most detailed objective, the CAF requires organisations to meet six principles to effectively protect against cyber-attacks. These include service protection policies and processes, identity and access control, data security, system security, resilient networks and systems, and staff awareness and training.

To implement these principles and meet objective B, organisations will need to ensure they have defined and communicated appropriate organisational policies and processes to secure systems and data. They will need to understand, document and control access to networks and information systems that support essential functions. They will have to protect stored or electronically transmitted data from actions that may negatively impact essential functions. They will be required to protect critical network, information systems, and technology from cyber-attacks and threats. They will need to build resilience against cyber-attacks and become cyber mature and, finally, they must appropriately support and educate staff to ensure all users understand and contribute to the cyber security of essential functions.

Objective C: detecting cyber security events

Involving two principles, in order to meet objective C, organisations must undertake cyber security monitoring and establish proactive security event discovery.

In other words, this objective focuses on maintaining effective security defences and detecting cyber security events that could affect the organisation’s essential, value-making functions. Achieving this requires measures in place to generate secure event logs, monitor networks and systems, and respond appropriately to track the effectiveness of current security measures.

Objective D: minimising the impact of cyber security incidents

Also involving two principles (to make fourteen in total), the CAF’s objective D involves response and recovery planning as well as a ‘lessons learned’ function.

To meet these standards, organisations must ensure that capabilities are put in place to minimise the negative impact of cyber security incidents on essential operational functions, as well as remediate and restore functions where necessary. This may include, for example, establishing a critical hour framework (CHF) model or other response and recovery plan. Organisations will also need to incorporate lessons learned from previous incidents to drive improvements to the security and resilience of essential functions.

You can see the full table view of the CAF’s principles and related guidance here.

Final word: why should organisations use the CAF?

Unfortunately, dealing with cyber security incidents is a part of life for organisations and, as the NCSC themselves note “the magnitude, frequency and impact of network and information system security incidents is increasing.”

More than this, though, it’s important to remember that doing all we can to protect against cyber threats is as much an ethical consideration as it is a business one. It’s important that we work together – utilising accessible and flexible frameworks like the CAF – to strengthen our cyber resilience and to protect the people we work alongside, as well as with their data and assets.

To find out how Littlefish can help your organisation meet the CAF’s obligations by implementing powerful and robust levels of cyber security and resilience, please use the ‘get in touch’ button on this page to contact our team of cyber security specialists.

You can find the original blog.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more