Using WebCAF for the self-assessment
WebCAF is the secure security.gov.uk hosted web portal solution that organisations will use to record and submit their CAF self-assessment. Third-party reviewers will review organisations self-assessments via WebCAF.
What is WebCAF?
WebCAF is the secure security.gov.uk hosted web portal solution that organisations will use to record and submit their CAF self-assessment. Third-party reviewers will review organisations self-assessments via WebCAF.
WebCAF has been designed to clearly and logically present each contributing outcome and the ability to include a high-level statement at the contributing outcome level and the corresponding grouped indicators of good practice with a drop-down as to whether the statement applies using a yes, no, or not applicable selection. The IGP statements support the overarching contributing outcomes.
Assessors and other reviewers will use this information to understand what the organisation is doing well at the contributing outcome and IGP level, as well as where improvements can be made.
WebCAF access is determined by organisations and allows for multi-authoring across different roles and privileges within the organisation and across self-assessments. Restricted access is enabled to maintain access on an ‘as needed’ basis.
If you are familiar with NCSC’s CAF, you may find that the presentation used and some of the wording is different in WebCAF, but the principles, interpretation and application of the CAF remain the same. In terms of presentation, some IGPs have been grouped to make it easier to comment against similar indicators.
WebCAF Roles and responsibilities
WebCAF supports a number of different roles and responsibilities to allow for collaborative working but with customisable permission to restrict access to individual system assessments as required as well as the ability to edit or gain a ‘read only’ view. A WebCAF Organisation Lead will need to be nominated for your organisation and they will be responsible for configuring access for your organisation and configuring permissions.
There are three categories of user profiles, and they are organised as follows:
Organisation level users – these users are able access the full view of the organisation including all systems and related assessments:
- Lead
- User (edit access)
- Viewer (read only access)
System level users – these users can only access the systems and related assessments to which they are granted access:
- User (edit access)
- Viewer (read only access)
Assessors – these are the independent assurance reviewers, and they can access the assessments to which your organisation grants access.
Conducting a WebCAF self-assessment
Once logged into WebCAF you will be presented with the dashboard. Click on the assessment button to take you to the assessment view where you can see all the current assessments for your organisation. Click on the assessment that you wish to start and you will then be presented with the four CAF objectives (Objective A – Managing Security Risk, Objective B – Protecting against cyber attack, Objective C – Detecting cyber security events, Objective D- Minimising the impact of cyber security incidents). You can expand each objective to view the Contributing Outcomes which have been grouped by their relevant principle and progress against this. It will also show the government CAF profile which the system is being assessed against. Click on the Contributing Outcome to be taken to the next screen which will provide the Contributing Outcome narritive followed by the overall acheievement rating and a comments box.
Organisations should consider in turn each contributing outcome statement in WebCAF and compare the contributing outcome statement with the organisation’s current practices. This will help to develop an initial view of current practices at the contributing outcome level.
This could be achieved by key individuals providing initial commentary on the practices that support the contributing outcome. Alternatively, ‘workshopping’ the contributing outcomes to provide a ‘first pass’ high level response that you can then challenge and refine as you work through the supporting indicators of good practice (IGP). Once you have worked through these, we recommend revisiting the overall contributing outcome narrative to provide a summary reflective of the individual IGP grouping statement narrative that you will complete in the section below on WebCAF.
For each individual Stage 3 IGP statement within each group, you are required to:
- Use a drop-down selection box to identify whether the statement applies with a response of either ‘Not applicable,’ ‘Yes,’ or ‘No.’
- Where there are duplicate “achieved” and “partially achieved” IGPs, please provide the same response for both.
For the IGP Group as a whole, you are required to:
- Provide supporting narrative within the ‘organisation comments’ box at the IGP grouping level. Where you have selected, ‘Not applicable’ it is important to be able to justify this conclusion with some supporting narrative – for example that process does not apply to your environment, or you have a different control.
In each IGP group there is a drop down to ‘View, add or remove linkes to supporting evidence’. This is where you can references the supporting evidence for the statements made against the IGPs.
Interpreting the IGP summary table in WebCAF
The following is a worked example to demonstrate how to interpret the IGP summary table in webCAF which is located on the contributing outcome page between the contributing outcome comments and IGP Groupings. The worked example looks at the IGP Summary for B3.a and the result is “partially achieved”. Below is how the conclusion was reached:
- We haven’t answered “Yes” to any of the 4 “Not Achieved” IGP statements available for this contributing outcome. This means none of the “Not Achieved” IGPs describe our organisation or system. If we had answered “Yes” to any of these statements, this would result in an overall “Not Achieved” contributing outcome status.
- We have answered “Yes” to 2 of the 9 “Achieved” IGP statements available for this contributing outcome. However, we have also said “No” to 7 of these statements, which means there are 7 “Achieved” IGPs that do not describe our organisation or system. We have not fully met the criteria for achieving an overall “Achieved” contributing outcome status.
- We have answered “Yes” to all 6 of the “Partially Achieved” IGP statements available for this contributing outcome. This means that all 6 of these IGPs describe our organisation or system. We have fully met the criteria for achieving an overall “Partially Achieved” contributing outcome status.
Saving and submission
A number of ‘Save Progress’ buttons exist throughout the assessment detail, and we recommend that you regularly save to ensure work is not lost. When you have worked through all the IGP groups supporting a contributing outcome and are happy with the content, you can click the ‘Save and go to assessment summary’ button.
Supplementary questions
For some principles, we have included additional mandatory completion supplementary questions to provide additional data to understand cross government security needs. These are questions with answers to be selected from dropdowns, with some including additional free text fields supporting narrative is required. These will help to drive out important data to better understand key cyber security aspects.
WebCAF Privacy Notice
You can find the WebCAF Privacy Notice here.
WebCAF Data Usage Policy
You can find the WebCAF Data Usage Policy here.