What is The Cyber Assessment Framework (NCSC CAF)?
The Cyber Assessment Framework (CAF or NCSC CAF) has been introduced as a standard by the government to protect the UK against cyber threats that can fundamentally disrupt the critical infrastructure of our society. This article outlines the challenges posed to the UK’s essential services from cyber threats, the purpose of NCSC CAF, and the required NCSC CAF Policies and Procedures.
NCSC CAF Essential Services
The NCSC CAF framework has been developed over time as protection for essential services such as:
- National and Local Governments
- Water
- Aviation
- Oil and Gas
- Energy
- The National Health Service
- Infrastructure
- Banking and Finance
The above list is not exhaustive. For example, various other Operators of Essential Services (OES) are fundamentally or partially operational in areas that would have catastrophic consequences to society if attacked or held to ransom through cyber attacks or cyber warfare.
Cyber Attacks on Key Infrastructure
To illustrate, previous examples of cyber terrorism are the 2017 WannaCry Ransomware and the attacks on Ukraine’s National Grid as well as the Israeli water infrastructure. Additionally, notable cyber attacks on OES globally, in just 2022, were:
- An outage due to a cyber attack at the Greek gas distributor DESFA.
- Russian hackers breached South Staffordshire Water in a blackmail attempt.
- A breach of Montenegro’s government institutions.
- Killnet attacked Lithuania’s state-owned energy provider.
- The FBI and NSA stated major USA telecommunications companies and network service providers had been part of an ongoing attack and breaches since 2020.
- Hackers shut down Iranian steel companies.
As a result, by rolling out CAF, the government has set a series of principles every critical service should adhere to through their IT operations.
Aligning NCSC CAF to International IT Security Standards
CAF aligns preventative cyber security measures with existing international information security frameworks, enabling organisations to be aware of and fill gaps in their standards and procedures. Over time, adopting CAF security principles as the standard in all vital services will increase the nation’s resilience against ever-growing cyber attacks. Therefore, demonstrating that your organisation aligns with CAF shows that you have cyber protection controls in place for areas of your organisation that are essential in maintaining economic and societal continuity.
Who Has Oversight of NCSC CAF?
In 2018, The implementation of the EU Security of Networks and Information Systems (NIS) Directive in May 2018 required Competent Authorities (CAs) to have the ability to assess the cyber security of Operators of Essential Services. Of course, NCSC CAF was further developed for the UK after we departed from the EU and is now fully managed by The NCSC (National Cyber Security Centre). The NCSC works between the UK industry and government, providing advice, guidance and support on cyber security, including the management of cyber security incidents. The Government Communications Headquarters (GCHQ) oversee NCSC and works with and is responsible to – but is not directly accountable to – the Foreign, Commonwealth & Development Office ministerial office and, therefore, the Foreign Secretary.
What are the CAF Framework Principles?
The CAF framework is in its entirety and at lower levels of detail are best consumed by IT Professionals and consultants. However, there are four key Objective Areas, consisting of a total of 14 security principles detailed below:
|
Objective A Managing Security Risk
|
Objective B Protecting Against Cyber Attack
|
|
Objective C Detecting Cyber Security Events
|
Objective D Minimising The Impact of Cyber Security Incidents
|
What are the NCSC CAF Policies and Procedures Requirements?
The NCSC states that OES organisations and businesses policy and procedure requirements are “dependent on its function and should integrate with the organisations’ approach to governance and risk” and that:
Organisations responsible for essential functions should have a range of policies and processes, including:
- An organisational security or service protection policy: endorsed by senior management, this high-level policy should include the organisation’s overarching approach to governing security and managing risks, the organisation’s aims and intents for security and what is of key concern.
Supporting policies and processes: contextual lower-level definitions. Specific policies and processes appropriate to the compliance regime; these may be defined by the regulation, standard, etc. For example, to comply with ISO/IEC 27001, organisations should have in place certain security policies and procedures relevant to what the organisation does.
NCSC CAF Policies and Procedures List
As a result, we have interpreted this as key policy and procedure documents required are both top level (for example, Group IT Policy, Information Security Controls, Data Security) and lower level, more detailed policies and procedures. We believe the following list should capture the CAF policy and procedure requirements:
- Acceptable Use Policies – Email and Internet
- Clean Desk and Screen Policy
- Document/Data Classification Policy
- Asset Management and Disposal Policy
- Social Media/Internet Use Policy
- Information Security Policy
- Password Management Policy
- Change Policy
- Cryptographic Controls Policy
- Removable Media Policy
- Business Continuity and Disaster Recovery Policy and Procedures
- Mobile Devices and Remote Working Policy
- Access Controls Policy
How Do NCSC CAF policies Map to the Framework Principles and International IT Security Standards?
The table below illustrates how the 14 Framework Principles can map to international IT Security Standards (such as ISO 27001) and which policies and procedures are pertinent to each principle.
NCSC CAF Principles, InfoSec Standards and Relevant Policies
| Principle | Standards | Relevant Policies and Procedures |
|---|---|---|
| A.1 Governance | ISO/IEC 27001:2017, ISO/IEC 27002:2013, ISA/IEC 62443-2-1, NIST SP800-53, NIST SP800-82, EUROCAE ED-204, | IT Security Policy/Group IT Security Policy |
| A.2 Risk Management | N/A | N/A |
| A.3 Asset Management | ISO/IEC 55001:2019, ISO/IEC27002: 2013, ISA 62443-1-1 , NIST SP800-82 NIST SP800-53, | Asset Management and Disposal Policy, Asset Register |
| A.4 Supply Chain | N/A | N/A |
| B.1 Service Protection Policies and Procedures | ISO/IEC 27001:2017 , ISO/IEC 27002:2013, ISO/IEC 22301:2019, ISA/IEC 62443-1-1 , NIST SP800-53 NIST SP800-82 | Physical Security Policy, Change Management Policy, Acceptable Use Policies – Email and Internet Policy, Social Media/Internet Use, Removable Media Policy, |
| B.2 Identity and Access Control | ISO/IEC 27001:2019, ISO/IEC 27002:2013, NIST SP800-53 NIST SP800-82, EUROCAE ED204, CyBOK Authentication Authorisation and Accountability Knowledge Base | Asset Register, Mobile Devices and Remote Working Policy, Physical Security Policy, Access Control Policy, JML Policy |
| B.3 Data Security | ISO/IEC 27002:2013, ISA/IEC 62443-1-1, ISA/IEC 62443-2-1, ISA/IEC 62443-3-3, NIST SP800-53 NIST SP800-82, EUROCAE ED204 & ED205 | Cryptographic Controls Policy, Removable Media Policy, Access Control Policy, Document/Data Classification Policy, Information Security Policy (including retention and Subject Access Requests) |
| B.4 System Security | ISO/IEC 27002:2013, ISA/IEC 62443-1-1, ISA/IEC 62443-2-1, ISA/IEC 62443-3-3, NIST SP800-53 NIST SP800-82, EUROCAE ED202A, ED203A, ED204 & ED205 | IT Security Policy (patching/vulnerability and so forth) |
| B.5 Resilient Networks and Systems | ISO/IEC 27002:2013, ISO/IEC 27035-3, ISA/IEC 62443-1-1, NIST SP800-53, NIST SP800-82 | Business Continuity and Disaster Recovery Policy and Procedures |
| B.6 Staff Awareness and Training | NCSC 10 Steps: User Education and Awareness , ISO/IEC 27001:2019, ISO/IEC 27002:2013, ISA/IEC 62443-2-1, NIST SP800-53 NIST SP800-82 | All policies |
| C.1 Security Monitoring | NCSC Introduction to logging for security purposes, NCSC 10 Steps: Monitoring, CREST – Cyber Security Monitoring Guide, ISO/IEC 27002:2019, ISO/IEC 27002:2013, ISO/IEC 27035:1-3, ISA/IEC 62443-2-1, NIST SP 800-53, NIST SP800-82 NIST SP800-94 | IT Security Policy |
| C.2 Anomaly Detection | ISO/IEC 27001:2019, ISO/IEC 27002:2013, ISO/IEC 27035-3, ISA/IEC 62443-2-1, NIST SP800-53 | IT Security Policy, Incident Management Policy |
| D.1 Response and Recovery Planning | NCSC 10 Steps: Incident Management, ISO/IEC 27035 (all), ISO/IEC 22301:2019, ISO/IEC 27002:2013, NIST SP800-61 NIST SP800-53 NIST SP800-82, EUROCAE ED204 | Incident Management Policy |
| D.2 Improvements | NCSC 10 Steps: Incident Management ENISA Good Practice for Incident Management Guide, ISO/IEC 27035:2-3, ISO/IEC 22301:2019 ISO/IEC 27001:2019, ISO/IEC 27002:2013, NIST SP800-61 NIST SP800-53 | Incident Management Policy |
How Does the NCSC Monitor CAF Compliance?
Random auditing on OES by accredited bodies will determine the indicators of good practice (IGP) for organisations. Consequently, if the organisation has not applied sufficient controls to adhere to the principles, it will be expected to comply within a specific timeframe.
How We Can Help With NCSC CAF Policies and Procedures
We work with Government Bodies, Local Authorities and OES, private companies, non-profits, and NGOs to align their policies and procedures with CAF and Information Security best practices. Please complete the enquiry form below if you would like more information. You may also be interested in our article on Cyber Essentials.
