Components of the CAF
The CAF defines 4 overall security objectives and 14 cyber security & resilience principles. The objectives should be viewed as interdependent, for example, it is important to have a strong cyber governance and risk foundation, as well as understanding what to secure (Objective A), before being able to adequately implement measures to protect it (Objective
CAF objectives
The CAF defines 4 overall security objectives and 14 cyber security & resilience principles. The objectives should be viewed as interdependent, for example, it is important to have a strong cyber governance and risk foundation, as well as understanding what to secure (Objective A), before being able to adequately implement measures to protect it (Objective B).
The CAF should also contribute to performing continual security improvement activity through the detection of incidents and events contributing to lessons learned and the continual refinement of existing security measures. CAF self-assessments should primarily be viewed as being completed on a per critical system basis.
Objectives A and D are considered to be more “organisational” focused objectives and many of the outcomes would be set consistently across the organisation, for example centrally governed process that sets the strategic direction for the design of Governance and Risk Management. However, consideration should be given to how well embedded these arrangements are at an operational systems level. Where parts of the organisation are likely to receive common responses to areas such as risk management, central security policies and incident management, it would be helpful to compile a foundational response, allowing areas in one assessment to be provided for multiple critical systems (where appropriate).
Consideration should however also be given to how effectively implemented and embedded these security principles are, at the system level. It is recognised that in larger organisations with more independent sub structures, this level of agreement may not always apply.
Generally, Objectives B and C are considered “system specific” and therefore each assessment will be based on the system in scope.
Objective A: Managing Security Risk
Appropriate organisational structures, policies and processes are in place to understand, assess and systematically manage security risks
Security Principles:
- A1. Governance
- A2. Risk Management
- A3. Asset Management
- A4. Supply Chain
Objective B: Protecting against cyber attack
Proportionate security measures are in place to protect core government functions and critical systems from cyber attack.
Security Principles:
- B1. Service protection policies and processes
- B2. Identity and access control
- B3. Data Security
- B4. System Security
- B5. Resilient networks and systems
- B6. Staff awareness
Objective C: Detecting cyber security events
Capabilities to ensure security defences remain effective and to detect cyber security events affecting or with the potential to affect core government functions.
Security Principles:
- C1. Security Monitoring
- C2. Proactive security event discovery
Objective D: Minimising the impact of cyber security incidents
Appropriate organisational structure, policies and processes are in place to understand, assess and systematically manage security risks.
Security Principles:
- D1. Response and recovery planning
- D2. Lessons learned
CAF Principles
The CAF cyber security & resilience principles define a set of high-level outcomes that, collectively, describe good cyber security for organisations delivering essential services and contribute to GovAssure compliance.
For example, in NCSC’s CAF, ‘Data Security’ and ‘System Security’ are important outcomes of Objective B – being two elements, among others, that contribute to the overall objective of protecting against cyber-attack.
Each principle is accompanied by a narrative which provides more detail, including why the principle is important.
For example, under Objective B: Protecting against cyber-attack > Principle B3: Data Security:
“Data stored or transmitted electronically is protected from actions such as unauthorised access, modification, or deletion that may cause an adverse impact on essential functions. Such protection extends to the means by which authorised users, devices and systems access critical data necessary for the operation of essential functions. It also covers information that would assist an attacker, such as design details of networks and information systems”.
Organisations completing the CAF should understand the principles and why they are important and interpret these when approaching the self-assessment. You are not required to assess against the overarching CAF principles and this is reflected within WebCAF. Each principle includes a hyperlink to the Government Cyber Security Policy Handbook for further guidance.
CAF Contributing outcomes
Each of the four objectives and 14 security principles are supported by a series of 39 contributing outcomes.
A contributing outcome supports the achievement of security outcomes and represents specific requirements to mitigate cyber risks faced by government organisations. As an example, the contributing outcome of ‘understanding data’ supports the principle for ‘B3: Data Security’. Each contributing outcome is accompanied by a narrative which provides more detail.
For example, under Objective B: Protecting against cyber-attack > Principle B3: Data Security > Contributing outcome: B3.a Understanding Data:
“You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions”.
Contributing outcomes are described and assessed as “not achieved”, “achieved”, or for some contributing outcomes, “partially achieved”. Each of these have Indicators of Good Practice (IGPs) which provide descriptors for each level. “Partially achieved” and “achieved” represent different levels of control and for the Government Profiles, some outcomes require the “partially achieved” description as the required level of resilience. Organisations should assess the security posture and demonstrate that they are using appropriate and proportionate security measures in relation to the contributing outcomes, aligned with the IGPs. Organisations are not expected to have the controls described as “achieved” for every outcome, as this would involve costly and disproportionate effort over and above the risk faced by the system. This is why the ‘Government CAF Profiles’ are important as they set the bar for the required resilience for Government systems in each area.
CAF Contributing outcomes and the target Government CAF profile
The Baseline and Enhanced profiles provide a view of the target state for each contributing outcome and support the principle of tailoring security strategies to the magnitude of the risks. When completing the CAF self-assessment, it is good to have a view of the target you are looking to meet, but it is possible to exceed the target state.
The Government CAF profiles are aligned to whole systems and the profiles contain the targeted achievement status at a contributing outcome level. For example, in the example below, for the Governance principle, it is expected that under the Baseline Profile organisations should be working towards an ‘achieved’ status for the contributing outcomes of Board Direction, Roles and Responsibilities, Decision Making, Assurance and Asset Management. For the contributing outcomes of Risk Management Process and Supply Chain, organisations are expected to have a partially achieved status.
The independent assurance reviewer will provide an assessment of the self-assessed position compared to the target profile. It is important to be mindful of the target profile when working through the contributing outcomes. As an organisation that your approach to completing the CAF should also focus on the target profile, so for example where a contributing outcome has a target of ‘partially achieved’, you may choose to review the ‘not achieved’ and ‘partially achieved’ rather than seeking evidence to demonstrate achievement over and above the target profile – it is possible to exceed the target.