CAF and GovAssure (from the UK’s NCSC)

Written by

greg jorgensen

Date published

June 7, 2024

The National Cyber Security Centre’s Cyber Assessment Framework is designed to provide guidelines for an organisation to assess and improve their cybersecurity posture.

Let’s start of with some important definitions before we get into anything specific:

A framework is a set of guidelines or best practices that organisations can follow to achieve specific objectives.

An example of a framework is NIST’s zero trust

A standard comprises specific, formal requirements developed by standardisation bodies.

For information security management systems, ISO 27001 is the international standard.

The difference:

A framework is a flexible guide or structure that people can follow to help build or improve policies or processes. They’re broad and can be adapted.

A standard on the other hand is a specific set of formalised requirements. They more often provide clear criteria of how to meet them.

📢

Frameworks offer guidance, standards provide specific actions that should be followed.

A guideline is a recommendation or best practice but they are not mandatory.

They’re intended to steer organisations into a certain direction. They’re flexible and adaptable.

A regulation is a rule established by government bodies or agencies that are legally enforceable.

Organisation who do not comply with these regulations can result in legal penalties. An example of a regular is GDPR (General Data Protection Regulation)

Compliance refers to the state of being in accordance with guidelines, specifications, or legislation.

Certification involves verifying that criteria has been met, usually by an accredited body.

ISO/IEC 27001 is also a certification that demonstrates compliance with the standard.

🖖

A certification can be seen as a "snapshot in time" that verifies a company's compliance with certain standards or criteria at the moment of assessment.

This “moment in time"is the problem with accreditation bodies.

Accreditation is a process that recognises an organisation as competent in performing a task.

But it’s more about the competence, authority or credibility of the assessor - for example a degree from a prestigious university, or a certificate from an important company that has verified competence.

The Government or the certification body is the accreditor, who certifies compliance.

Assurance refers to the confidence or guarantee that systems and data are protected against specific threats and vulnerabilities.

Aims to provide stakeholders with confidence, and assurance is often tied to risk assessments, testing and compliance checks.

How does Assurance - compare to Accreditation?

Assurance allows for more dynamic and ongoing evaluation of security measures against emerging threats and vulnerabilities.

It generally focuses more on outcomes and effectiveness rather than just compliance with procedures, they test if something in place is actually working as intended, rather than just “do they have X in place, OK, then check”

👉

Assurance is less about maintaining a static level of compliance and more about continually adapting and responding to new threats and challenges.

…. instead of maybe being re-evaluated every 2 years to be compliant with an accreditation, assurance might involve ongoing actives like real-time monitoring and incident response

And the effectiveness and swiftness of their response can impact the level of assurance they are able to maintain

If a sudden weakness is revealed then a businesses assurance status may be suspended.

Let’s loop back to CAF, so it’s a framework made by the NCSC.

It’s a framework.

It was designed to provide guidelines for organisations to assess and improve (their cybersecurity posture)

Purpose and Scope: Organisations involved with UK critical national infrastructure.

Provides structure to evaluate and improve.

The CAF outlines a set of cyber security principles and “Indicators of good practice”,

& a set of specific outcomes that should be achieved

& how to achieve these outcomes

IGPs cover:

Managing Security Risk
Protecting against attack - this objective has the most principles
Detecting incidents
Minimising impacts of them

These are OBJECTIVES, and each one contains several principles, totalling 14.

There are two profiles in CAF, Baseline and Enhanced

- baseline represents a foundational level of cybersecurity practices

The Enhanced Profile is more comprehensive and is intended for organisations who think they are at higher risk, but it’s up (down) to the company to decide what is best for them.

Again, It’s a self-assessment tool.

It’s not a certification scheme.

Even though it’s targeted at essential services it’s really broad enough for anyone to use.

It’s not meant to be rule-based or applied like a checklist

Where IGPs are not being met, organisations can implement alternative controls or methods if they want to

GovAssure

This is a new cyber security assurance approach for the UK government. It’s purpose is to provide an objective understanding of government cybersecurity.

GovAssure leverages the structure and principles of the CAF to create a standard approach to cyber resilience (I like that word, resilience)

(which is really what CAF does)

It has replaced the cyber element of the Departmental Security Health Check (DSHC) already (mid-2023)

Aligns with a revised 007 Security Functional Standard.

Key aspect:

Through GovAssure, Gov departments are expected to assess their cyber security maturity against these CAF principles.
Target audience are systems classified as OFFICIAL, not SECRET (as of yet)
Targeted at Critical National Infrastructure (CNI) to try and bring government entities under a common assurance process for cyber
Organisations will assess critical systems against CAF profiles — the Baseline or the Enhanced Profile *
Organisations must document their systems and identify system owners, using a Responsible, Accountable, Support, Consulted, and Informed (RASCI) template.
Lots of people are involved with GovAssure, not just the CISO or Cyber Security Managers.

Gov Assure has 5 MAIN stages,

Stage 1: Organisational context and services

Stage 2: In-scope systems and assignment to the Government CAF profile (baseline or enhanced)

Stage 3: CAF self-assessment

Stage 4: Independent assurance review

Stage 5: Final assessment and targeted improvement plan

CAF provides 14 cyber principles for best practices and guidelines regarding cyber security and resilience.

Extra points:

GovAssure is still new, as it matures the alignment might become mandatory for future government contracts. GovAssure is expected to evolve as it matures.
Being a CAF subject matter expert will enhance the credibility of a supplier with government CNI organisation.
Suppliers of network and information systems to the government will be expected to align their solutions and services with the CAF principles (for GovAssure)

Stage 1: Organisational context and services

This stage is for understanding the organisation's context, essential services, and mission.

Strategic context
identification of essential services
completion of the GovAssure Scoping Document

The expectation is to select a representative number of systems each year, which kind of indicates an annual review and prioritisation process.

Stage 2: In-scope Systems and Assignment to the Government CAF Profile

This stage is for Identifying critical systems and assigning them to the appropriate CAF profile (Baseline or Enhanced).

Identify Critical Systems
System boundaries
Determining the right CAF profile

Stage 3: CAF Self-Assessment

This is for Conducting a self-assessment against the CAF Guidance documentation for each critical system.

Completing the self assessment is the main section
Providing Indicators of Good Practice (IGP) evidence

Stage 4: Independent Assurance Review

As the title suggests, this is an 3rd party companies that comes into review and verify the self-assessment is correct.

Stage 5: Final Assessment and Targeted Improvement Plan

This stage produces a final report with observations, recommendations, and assessment against the target CAF profile.

Development of a final report.
Creation of targeted improvement plans.

⚠️

Even if a department receives a report that is largely positive, there will almost always be recommendations for ongoing improvements or suggestions for maintaining cybersecurity resilience.

Again, GovAssure is designed to be a continuous process, not a one-time assessment, so this means that even after completing Stage 5, departments are expected to continually monitor and review and improve their cybersecurity.

The purpose of GovAssure is to ensure continuous improvement and adaptation to the evolving cybersecurity landscape.

GovAssure emphasises regular self-assessment, independent verification, and the implementation of improvement plans, rather than the attainment of a static certification status.

Even though there is no certification, bodies that are compliant should be able to make this information public.

What’s the difference between CAF and GovAssure?

Organisations under GovAssure use the CAF to conduct self-assessments of their cybersecurity practices.
There are still other stages of GovAssure that need to be completed, like the independent assurance review, a targeted improvement plan, and a final assessment.

Summary

CAF (Cyber Assessment Framework):

A Framework developed by the UK's National Cyber Security Centre (NCSC).
Offers a structured approach to assessing cybersecurity risks and controls.
Includes two profiles: Baseline and Enhanced, catering to different levels of cyber risk and maturity.

GovAssure:

A new cybersecurity assurance scheme for UK government organisations, particularly those involved in Critical National Infrastructure (CNI).
Designed to support the objectives of the Government Cyber Security Strategy (GCSS).
Replaces the cyber element of the Departmental Security Health Check (DSHC) and moves away from the Minimum Cyber Security Standards (MCSS).
Focuses on continuous improvement in cybersecurity.
Consists of a five-stage process: Organisational context and services, In-scope systems and CAF profile assignment, CAF self-assessment, Independent assurance review, and Final assessment with targeted improvement plans.
Emphasises self-assessment and independent verification rather than a one-time certification.

Who It's For:

Aimed at government organisations and departments.
Particularly relevant for those handling critical national infrastructure and sensitive data.

Steps to Achieve Compliance:

Organisations undergo a comprehensive process starting from understanding their context and essential services, assessing their cyber risks and controls, to independent verification and continual improvement planning.

I’m not sure how, but organisations should have to show evidence of implementing suggested improvement, or set a schedule for doing regular self-assessments/ independent validation.

Benefits and Significance:

Enhances cybersecurity resilience and risk management.
Encourages a proactive, continuous approach to cybersecurity, aligning with modern threats and practices.
Provides a framework for organisations to measure and improve their cybersecurity posture systematically.

Glossary of terms:

NCSC: National Cyber Security Centre, a UK government organization that provides guidance on cybersecurity.
CAF: Cyber Assessment Framework, a set of guidelines to help organizations assess and improve their cybersecurity measures.
GovAssure: A cybersecurity assurance approach specifically for UK government departments, based on CAF.