Today, the NCSC is publishing an updated version of the Cyber Assessment Framework (CAF) and I thought there might be some interest in a 'behind the scenes' look at how the new version has come about.
In April this year we published the first version of the CAF as part of the NCSC’s support to the UK implementation of the EU security of Networks and Information Systems (NIS) Directive. The purpose of the NIS Directive is to improve cyber security in organisations that deliver essential services to the public, reducing the risk of a cyber attack causing disruption to energy supplies, transport etc. The CAF provides a way for NIS regulatory bodies (known as Competent Authorities) to assess the cyber security of organisations covered by the Directive. (You can read more about the NIS Directive and NCSC’s role here.)
The Making of CAF 2.0
Over the summer we have worked closely with a number of different organisations in the transport, energy and water sectors to test the initial version of the CAF and investigate how well it met the requirements of NIS. We did this by undertaking trial assessments with companies directly affected by NIS and gathering feedback on the results. The trial assessments were observed by the relevant Competent Authorities and were only possible because of the high-level of engagement and cooperation provided to us by the companies concerned who had all volunteered to take part.
We have spent the last few weeks studying the feedback, consisting of over 100 observations and suggestions for improvement. We were pleased (and relieved!) to see that the basic approach to assessment used by the CAF seemed to work well, meaning that we didn’t think we needed to make any fundamental changes. Almost all the observations and suggestions concerned the wording of individual Indicators of Good Practice (the building blocks of the CAF), and CAF 2.0 has taken the vast majority of these into account.
Since the NCSC has no regulatory role under NIS, exactly how the CAF is used (or even whether it is used) in the sectors covered by NIS is a matter for the relevant Competent Authorities. Based on current plans, we are expecting a significant number of assessments using the new version of the CAF to take place over the next 6 months or so. The NCSC will review the CAF again next summer to reflect the results of its wider use and to keep it up to date.
If you have any questions or comments, please leave them below or contact us.