Cyber Assessment Framework
Page 1 of 25
Cyber Security and Resilience Bill to strengthen regulation of critical sectors
The NCSC welcomes the introduction of the Cyber Security and Resilience Bill to Parliament and its potential in closing the widening gap between the cyber threats the UK faces and our ability to defend against them in critical sectors.
Read the blog by Jonathan Ellison, NCSC Director of National Resilience exploring how the Cyber Security and Resilience Bill will support affected sectors.
Introduction
Cyber incidents can result in a number of different consequences, depending on the nature of the network and information systems targeted and intention of the perpetrators. Circumstances in which the possible consequences of cyber incidents are extremely serious or even, perhaps catastrophic, generally require very robust levels of cyber security and resilience. It is for these circumstances that the NCSC has developed the Cyber Assessment Framework (CAF) collection.
The CAF collection consists of the CAF itself together with a range of linked guidance and some background on its intended use. It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified vitally important functions performed by that organisation, functions that are at risk of disruption as a result of a serious cyber incident.
Who is the CAF for?
The CAF is primarily designed for organisations operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government. It supports both internal assessments and external oversight bodies, helping organisations meet legal and regulatory requirements like the NIS Regulations. It does this by providing a framework for assessing how well an organisation is meeting expected cyber security and resilience outcomes described within a CAF Profile.
A CAF Profile is a target level for cyber security and resilience in response to threat actors with a particular level of attack capability. There are two types of CAF Profiles, Basic and Enhanced. The Basic Profile sets out the target level for all sectors when faced with attackers with a basic level of attack capability. This typically includes attack scenarios that would involve common cyber attacks. An Enhanced Profile is different as it is sector specific and builds upon the Basic Profile by representing a cyber security and resilience target level appropriate for situations where an organisation typically faces attackers that are more capable, better resourced and can undertake more sophisticated attacks.
The CAF collection
The CAF collection is for all organisations that are responsible for securing critical network and information systems that keep our businesses, citizens and public services protected.
More particularly:
- Organisations subject to the Network and Information (NIS) Regulations
- Organisations within the UK Critical National Infrastructure (CNI)
- Organisations managing cyber-related risks to public safety
- Public sector organisations that support core government functions
- Other organisations / sectors that may find the CAF a useful tool
It is intended that the CAF collection will be of particular interest to cyber oversight bodies, organisations (such as cyber regulators) that have responsibility for the cyber security and resilience of a sector. The CAF collection is intended to assist such organisations to carry out some of their core oversight responsibilities. Any oversight body considering the use of the CAF in their sector is invited to contact the NCSC to discuss possible additional available support through the Support to Regulation mailbox.
This collection contains:
-
An overview and introduction of the CAF collection
-
An introduction to the CAF including guidance on the use of the CAF
-
The wider context of the CAF when considering the Network and Information Systems (NIS) Regulations, CNI, how the NCSC works with cyber regulators and GovAssure
-
The CAF – a set of objectives and underlying principles, outcomes and indicators of good practice (IGPs)
-
Relevant guidance on the application of the objectives and principles
-
Additional linked guidance and references
Changelog, latest and previous CAF versions
The latest version of the CAF, and all previous versions are available to download on the Changelog page.
Links to guidance that complement the CAF have been included and can be found in the consolidated view of CAF guidance and in the additional information section of the individual principles.
