Cyber Assessment Framework - Policy brief

As the UK’s technical authority for cyber security, the National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework (CAF) to support the UK’s implementation of the European Union’s Network and Information Systems (NIS) Directive in 2018. Today, a significant number of UK providers of essential services are using the framework to help them improve cyber security.

In light of this, the National Cyber Strategy, and the Government Cyber Security Strategy set out plans to adopt the CAF as the assurance framework for government, providing a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed.

The Government Cyber Security Strategy explains how the government will ensure all public sector organisations will be resilient to cyber threats. This strategy sets out plans to ensure that the government assesses its cyber resilience consistently and comparably. This will be underpinned by adopting the NCSC’s CAF as a standard way of assessing cyber risk.

The Department for Levelling Up, Housing and Communities (DLUHC) is currently working with a small cohort of councils to explore how local authorities should use the CAF to assess and improve their cyber security. Once the pilot ends, they plan to roll out the framework with councils across England. They will continue to iterate and develop the framework and supporting guidance and explore what reporting and assurance models for local government could look like.

The Local Government Association led a roundtable meeting with senior IT leaders from the sector. The group identified seven critical success factors that would need to underpin the Local Government CAF (LGCAF):

• The LG CAF ensures councils can access necessary UK public sector systems through one single, clear regime reducing the workload for local government while achieving the same tangible benefits.
• The LG CAF tailors the NCSC CAF to the local government context with achievable, feasible, and testable indicators of good practice for the sector.
• The LG CAF provides concise, comprehensive, and targeted guidance and support to local government, enabling the adoption and development of best practices.
• The LG CAF provides a shared understanding of sector-wide risks, vulnerability, and practices, empowering sector-led improvement.
• The LG CAF includes self-assurance (trust) and external verification (test) elements to deliver a strong foundation for information sharing.
• The LG CAF provides councils with an agreed minimum required standard (‘baseline’) that must be assured and tested at a specified frequency.
• Successful completion of the LG CAF is an organisational responsibility signed off by a council’s Chief Executive.

The Local Government Association regularly engages with sector leaders, DLUHC, NCSC, and the Cabinet Office to secure the best outcomes and support for local government.

Objective:

The National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF) provides guidance for organisations responsible for vitally important services and activities.

The NCSC framework consists of a set of 14 cyber security and resilience principles, together with guidance on using and applying the principles. It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience.

The principles define a set of top-level outcomes that, collectively, describes good cyber security for organisations performing essential functions. Each principle is accompanied by a narrative and guidance for achieving the outcome and recommends some ways to tackle common cyber security challenges. 

The NCSC intends for the principles and guidance to be used in the following way:

• Understand the principles and why they are essential. Interpret the principles for the organisation.
• Compare the outcomes described in the principles to the organisation’s current practices. Use the guidance to inform the comparison.
• Identify shortcomings. Understand the seriousness of shortcomings using organisational context and prioritise.
• Implement prioritised remediation. Use the guidance to inform remediation activities.

Principles and guidance

The CAF is centred on four objectives, each of which has several principles and guidance associated with them.

Appropriate organisational structures, policies, and processes are in place to understand, assess and systematically manage security risks to the network and information systems supporting essential functions. This objective covers the principles of:

• Governance – having appropriate policies and processes to govern an organisation’s approach to cyber security.
• Risk management – ensuring steps are taken to identify, assess and understand security risks.
• Asset management – determining and understanding what systems and services are required to deliver essential functions.
• Supply chain – understanding and managing security risks introduced through external suppliers.

Proportionate security measures are in place to protect the network and information systems supporting essential functions from cyber-attack. This objective covers the principles of:

• Service protection policies and processes – defining and communicating appropriate policies to secure systems and data.
• Identity and access control – managing access to networks and information systems.
• Data security – protecting data stored, processed, or transmitted electronically from actions that may have an adverse impact.
• System security – protecting critical systems from cyber-attack.
• Resilient networks and systems – building resilient networks and systems that protect and defend against a cyber attack
• Staff awareness and training – supporting staff to understand their role and contribute to the cyber security of essential functions.

Capabilities exist to ensure security defences remain effective in detecting cyber security events affecting or potentially affecting essential functions. This objective covers the principles of:

• Security monitoring – monitoring is in place to detect security issues and track whether existing security measures are effective.
• Proactive security event discovery – detecting cyber security events

Capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions, including restoring those functions where necessary. This objective covers the principles of:

• Response and recovery planning – putting suitable incident management and mitigation processes in place.
• Lessons learned – learning from incidents and implementing lessons to improve the resilience of essential functions.