Cyber Assessment Framework 3.2

iStock 154974489
Cyber Assessment Framework 3.2

In the two years since the last version of the NCSC Cyber Assessment Framework (CAF) was published, its application has gone well beyond the original regulatory context. During this time, we have also seen an increase in the cyber threat to critical national infrastructure (CNI).

Both these developments have been major drivers behind the decision to update the CAF.

Following analysis of various cyber attacks affecting CNI organisations across the world, we have made significant changes to sections of the CAF covering remote access, privileged operations, user access levels and the use of multi-factor authentication (all of which are covered in Principle B2a and B2c).

Readers who are familiar with the guidance will be aware that the CAF principles, outcomes and ‘indicators of good practice’ (IGPs) are interdependent, meaning that when an IGP changes, we need to consider how this affects other areas of the CAF. We have also improved CAF alignment with Cyber Essentials (CE) and, where appropriate, have mirrored some of the CE requirements while ensuring the existing outcome-focussed approach of the CAF is retained.

This revision has again been completed in full consultation with NIS regulators and other interested parties. All feedback was carefully considered, and it was encouraging to read the number of responses. As a result, we have revised the pages to improve navigation across the CAF collection, and consolidated references to both internal NCSC and wider external guidance.

Even though this version of the CAF is ‘hot off the press’, we continue to plan for future iterations. In particular, we are committed to ensuring that CAF development fully reflects changes to cyber resilience regulation (such as the government’s proposal to expand the scope of NIS regulation to include digital managed service providers).

Another development with possible significant implications is the increased use of artificial intelligence (AI) technologies. Some limited aspects of AI-related cyber risk are currently reflected in the sections covering ‘automated functions’ and ‘automated decision-making technologies’ and we will be considering the impact of AI in more detail as part of future iterations of the CAF.

As always, let us know if you have any feedback that might help us to improve our guidance.

Jason G
NCSC Support to Regulation

Original Source: ncsc[.]gov[.]uk

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.