Cyber Assessment Framework V3.

2 – Record of Changes

Version as of 15th April 2024

© Crown Copyright 2024

 In the Record of Changes table below amendments to the CAF are referenced by Contributing Outcome (CO) and Indicator of Good Practice (IGP) numbering. For example,
in the first row under Contributing Outcome the reference is ‘A1.a A#2’. This means Contributing Outcome ‘A1.a’ followed by ‘A’ for the ‘Achieved’ IGP column, followed
by ‘#2’ for the second IGP. In a similar way, PA in other rows means ‘Partially Achieved’ and NA means ‘Not Achieved’ at the IGP level.

Identifier Contributing Changed From Changed To

Outcome

ID_54 A1.a A#2 Regular board discussions on the security of network and Regular board-level discussions on the security of network and information
information systems supporting the operation of your essential systems supporting the operation of your essential function(s) take place,
function take place, based on timely and accurate information based on timely and accurate information and informed by expert guidance.
and informed by expert guidance.

ID_54 A1.a A#4 Direction set at board level is translated into effective Direction set at board-level is translated into effective organisational practices
organisational practices that direct and control the security of that direct and control the security of the network and information systems
the networks and information systems supporting your essential supporting your essential function(s).
function.

ID_06 A1.b A#1 Necessary roles and responsibilities for the security Key roles and responsibilities for the security of network and information
of networks and information systems supporting your essential systems supporting your essential function(s) have been identified. These are
function have been identified. These are reviewed periodically to reviewed regularly to ensure they remain fit for purpose.
ensure they remain fit for purpose.

ID_108 A1.c A#4 Risk management decisions are periodically reviewed to ensure Risk management decisions are regularly reviewed to ensure their continued
their continued relevance and validity. relevance and validity.

ID_108 A2.a A#8 The effectiveness of your risk management process is reviewed The effectiveness of your risk management process is reviewed regularly, and
periodically, and improvements made as required. improvements made as required.

ID_109 A2.a NA#3 Risk assessments for critical systems are a "one-off" activity or Risk assessments for network and information systems supporting your
not done at all. essential function(s) are a "one-off" activity or not done at all.

Page 2
ID_26 A3.a A#4 You have assigned responsibility for managing physical assets. You have assigned responsibility for managing all assets, including physical
assets, relevant to the operation of the essential function(s).

Aligning A3.a NA#3 Information assets, which could include personally identifiable Information assets, which could include personally identifiable information
language in information or other sensitive information, are stored for long and / or important / critical data, are stored for long periods of time with no
Terms and periods of time with no clear business need or retention policy. clear business need or retention policy.
Definitions
document
ID_276 A4.a A#5 Customer / supplier ownership of responsibilities are laid out in Customer / supplier ownership of responsibilities is laid out in contracts.
contracts.

ID_45 All applicable References to either ‘essential function’ and ‘essential functions’ Replaced with references to 'essential function(s)'
CO and IGP
references
ID_28 B1.a and B1.b 'policies and processes' 'policies, processes and procedures'
throughout
the CO's
ID_16 B2.a A#4 You use additional authentication mechanisms, such as multi- You use additional authentication mechanisms, such as multi-factor (MFA), for
factor (MFA), for privileged access to all networks and all user access, including remote access, to all network and information
information systems that operate or support your essential systems that operate or support your essential function(s).
function.

ID_16 B2.a A#5 Remove: You use additional authentication mechanisms, such as
multi-factor (MFA), when you individually authenticate and
authorise all remote user access to all your networks and
information systems that support your essential function.

ID_10 B2.a A#6 Add: Your approach to authenticating users, devices and systems follows up to
date best practice.
Aligning B2.a A#6 The list of users with access to networks and systems supporting The list of users and systems with access to network and information systems
language move to B2.a and delivering the essential function is reviewed on a regular supporting and delivering the essential function(s) is reviewed on a regular
with NIS A#5 basis, at least every six months. basis, at least every six months.
ID_10 B2.a NA#5 Add: Your approach to authenticating users, devices and systems does not
follow up to date best practice.

Page 3
ID_16 B2.a PA#4 You use additional authentication mechanisms, such as multi- You use additional authentication mechanisms, such as multi-factor (MFA), for
factor (MFA), for privileged access to sensitive systems including privileged access to all network and information systems that operate or
Operational Technology where appropriate. support your essential function(s).
Aligning B2.a PA#6 The list of users and systems with access to essential function The list of users and systems with access to network and information systems
language networks and systems is reviewed on a regular basis at least supporting and delivering the essential function(s) is reviewed on a regular
with NIS annually. basis, at least annually.
ID_10 B2.a PA#7 Add: Your approach to authenticating users, devices and systems follows up to
date best practice.
ID_104 B2.b A#1 Dedicated devices are used for privileged actions (such as All privileged operations performed on your network and information systems
administration or accessing the essential function's network and supporting your essential function(s) are conducted from highly trusted
information systems). These devices are not used for directly devices, such as Privileged Access Workstations, dedicated solely to those
browsing the web or accessing email. operations.

ID_113 B2.b NA#1 Users can connect to your essential function's networks using Users can connect to your network and information systems supporting your
devices that are not corporately managed. essential function(s) using devices that are not corporately owned and
managed.
ID_104 B2.b NA#2 Privileged users can perform administrative functions from Privileged users can perform privileged operations from devices that are not
devices that are not corporately managed. corporately owned and managed.

ID_113 B2.b NA#4 Physically connecting a device to your network gives that device Physically connecting a device to your network and information systems gives
access without device or user authentication. that device access without device or user authentication.

ID_104 B2.b PA#2 All privileged access occurs from corporately managed devices All privileged operations are performed from corporately owned and managed
dedicated to management functions. devices. These devices provide sufficient separation, using a risk-based
approach, from the activities of standard users.

ID_113 B2.b PA#5 You are able to detect unknown devices being connected to your You are able to detect unknown devices being connected to your network and
network and investigate such incidents. information systems and investigate such incidents.

Aligning B2.b A#2 You either obtain independent and professional assurance of the You either obtain independent and professional assurance of the security of
language security of third-party devices or networks before they connect third-party devices or networks before they connect to your network and
with NIS to your systems, or you only allow third-party devices or information systems, or you only allow third-party devices or networks that
networks dedicated to supporting your systems to connect. are dedicated to supporting your network and information systems to connect.

Page 4
Aligning B2.c A#1 Privileged user access to your essential function(s) network and Privileged user access to network and information systems supporting your
language NIS information systems is carried out from dedicated separate essential function(s) is carried out from dedicated separate accounts that are
accounts that are closely monitored and managed. closely monitored and managed.
ID_16 B2.c A#4 Remove: All privileged user access to your network and
information systems requires strong authentication, such as
multi-factor (MFA) or additional real-time security monitoring.

Aligning B2.c NA#1 The identities of the individuals with privileged access to your The identities of the individuals with privileged access to network and
language essential function(s) systems (infrastructure, platforms, software, information systems (infrastructure, platforms, software, configuration etc)
with NIS configuration, etc) are not known or not managed. supporting your essential function(s) are not known or not managed.

Aligning B2.c NA#2 Privileged user access to your essential function(s) systems is via Privileged user access to network and information systems supporting your
language NIS weak authentication mechanisms (e.g. only simple passwords). essential functions(s) is via weak authentication mechanisms (e.g. only simple
passwords).
ID_16 B2.c PA#1 Remove: Privileged user access requires additional validation, Add: All privileged user access to network and information systems supporting
but this does not use a strong form of authentication (e.g. multi- your essential function(s) requires strong authentication, such as multi-factor
factor (MFA) or additional real-time security monitoring). (MFA).
Aligning B2.c PA#2 The identities of the individuals with privileged access to your The identities of the individuals with privileged access to network and
language essential function(s) systems (infrastructure, platforms, software, information systems (infrastructure, platforms, software, configuration etc)
with NIS configuration, etc) are known and managed. This includes third supporting your essential function(s) are known and managed. This includes
parties. third parties.

ID_55 B2.c PA#4 Privileged users are only granted specific privileged Privileged users are only granted specific privileged user access rights which
permissions which are essential to their business role or function. are essential to their business role or function.

ID_55 B2.d A#2 User permissions are reviewed both when people change roles User access rights are reviewed both when people change roles via your
via your joiners, leavers and movers process and at regular joiners, leavers and movers process and at regular intervals - at least annually.
intervals - at least annually.

ID_63 B2.d NA#1 Change font of the word ‘access’ in B2.d PA#1 to align with the Greater access rights are granted than necessary.
rest of the font used in the document.
The word ‘access’ deleted from website.

Page 5
ID_108 B3.a PA#3 You periodically review location, transmission, quantity and
quality of data important to the operation of the essential
function.
ID_17 B3.a PA#5 You understand and document the impact on your essential
function of all relevant scenarios, including unauthorised access,
modification or deletion, or when authorised users are unable to
appropriately access this data.
ID_15 B3.c A#1 You have only necessary copies of this data. Where data is
transferred to less secure systems, the data is provided with
limited detail and / or as a read-only copy.
You regularly review location, transmission, quantity and quality of data
important to the operation of the essential function(s).
You understand and document the impact on your essential function(s) of all
relevant scenarios, including unauthorised data access, modification or
deletion, or when authorised users are unable to appropriately access this
data.
All copies of data important to the operation of your essential function are
necessary. Where this important data is transferred to less secure systems, the
data is provided with limited detail and / or as a read-only copy.

ID_09 B3.c A#2 You have applied suitable physical or technical means to protect You have applied suitable physical and / or technical means to protect this
this important stored data from unauthorised access, important stored data from unauthorised access, modification or deletion.
modification or deletion.
ID_110 B3.d PA#2 Data important to the operation of the critical system is only Data important to the operation of the essential function(s) is stored on
stored on mobile devices with at least equivalent security mobile devices only when they have at least the security standard aligned to
standard to your organisation. your overarching security policies.
ID_98 B4.a A#2 Your networks and information systems are segregated into Your network and information systems are segregated into appropriate
appropriate security zones, e.g. operational systems for the security zones (e.g. systems supporting the essential function(s) are
essential function are segregated in a highly trusted, more secure segregated in a highly trusted, more secure zone).
zone.

ID_98 B4.a A#5 Content-based attacks are mitigated for all inputs to operational Content-based attacks are mitigated for all inputs to network and information
systems that affect the essential function (e.g. via transformation systems that affect the essential function(s) (e.g. via transformation and
and inspection). inspection).
ID_98 B4.a NA#2 Internet access is available from operational systems. Internet access is available from network and information systems supporting
your essential function(s).
Aligning B4.a NA#3 Data flows between the essential function(s)'s operational Data flows between network and information systems supporting your
language systems and other systems are complex, making it hard to essential function(s) and other systems are complex, making it hard to
with NIS discriminate between legitimate and illegitimate/malicious discriminate between legitimate and illegitimate / malicious traffic.
traffic.

Page 6
ID_98 B4.a NA#4 Remote or third party accesses circumvent some network Remote or third-party accesses circumvent some network controls to gain
controls to gain more direct access to operational systems of the more direct access to network and information systems supporting the
essential function. essential function(s).
Aligning B4.a PA#5 All inputs to operational systems are checked and validated at All inputs to network and information systems supporting your essential
language the network boundary where possible, or additional monitoring function(s) are checked and validated at the network boundary where
with NIS is in place for content-based attacks. possible, or additional monitoring is in place for content-based attacks.

ID_105 B4.b A#8 Add: Generic, shared, default name and built in accounts have been removed
or disabled. Where this is not possible, credentials to these accounts have
been changed.
ID_105 B4.b NA#5 Add: Generic, shared, default name and built-in accounts have not been
removed or disabled.

ID_105 B4.b PA#6 Add: Generic, shared, default name and built in accounts have been removed
or disabled. Where this is not possible, credentials to these accounts have
been changed.
Aligning B4.c A#1 Your systems and devices supporting the operation of the Your systems and devices supporting the operation of the essential function(s)
language essential function(s) are only administered or maintained by are only administered or maintained by authorised privileged users from highly
with B2.b authorised privileged users from dedicated devices that are trusted devices, such as Privileged Access Workstations, dedicated solely to
A#1 technically segregated and secured to the same level as the those operations.
networks and systems being maintained.

Aligning B4.c NA#1 Essential function(s) network and information systems are Your systems and devices supporting the operation of the essential function(s)
language administered or maintained using non-dedicated devices. are administered or maintained from devices that are not corporately owned
with B2.b and managed.
NA#2
Aligning B4.c PA#1 Your systems and devices supporting the operation of the Your systems and devices supporting the operation of the essential function(s)
language essential function are only administered or maintained by are only administered or maintained by authorised privileged users from
with B2.b authorised privileged users from dedicated devices. devices sufficiently separated, using a risk-based approach, from the activities
PA#2 of standard users.

ID_09 B4.c PA#3 You prevent, detect and remove malware or unauthorised You prevent, detect and remove malware, and unauthorised software. You use
software. You use technical, procedural and physical measures as technical, procedural and physical measures as necessary.
necessary./p

Page 7
ID_113 B4.d A#2 Announced vulnerabilities for all software packages, network Announced vulnerabilities for all software packages, network and information
equipment and operating systems used to support the operation systems used to support your essential function(s) are tracked, prioritised and
of your essential function are tracked, prioritised and mitigated mitigated (e.g. by patching) promptly.
(e.g. by patching) promptly.

ID_113 B4.d PA#2 Announced vulnerabilities for all software packages, network Announced vulnerabilities for all software packages, network and information
equipment and operating systems used to support your essential systems used to support your essential function(s) are tracked and prioritised
function(s) are tracked, prioritised and externally-exposed and externally exposed vulnerabilities are mitigated (e.g. by patching)
vulnerabilities are mitigated (e.g. by patching) promptly. promptly.

ID_40 B5.a A#2 You use your security awareness and threat intelligence sources, You use your security awareness and threat intelligence sources to identify
to make immediate and potentially temporary security changes new or heightened levels of risk, which result in immediate and potentially
in response to new threats, e.g. a widespread outbreak of very temporary security measures to enhance the security of your network and
damaging malware. information systems (e.g. in response to a widespread outbreak of very
damaging malware).
ID_39 B5.a NA#2 You have not completed business continuity and / or disaster You have not completed business continuity and disaster recovery plans for
recovery plans for your essential function’s networks, network and information systems, including their dependencies, supporting
information systems and their dependencies. the operation of the essential function(s).
ID_38 B5.a NA#3 You have not fully assessed the practical implementation of your You have not fully assessed the practical implementation of your business
disaster recovery plans. continuity and disaster recovery plans.

ID_53 B5.a PA#1 You know all networks, information systems and underlying You know all network and information systems, and underlying technologies,
technologies that are necessary to restore the operation of the that are necessary to restore the operation of the essential function(s) and
essential function ;and understand their interdependence. understand their interdependence.

ID_98 B5.b A#1 Operational systems that support the operation of the essential
function are segregated from other business and external
systems by appropriate technical and physical means, e.g.
separate network and system infrastructure with independent
user administration. Internet services are not accessible from
operational systems.
ID_98 B5.b NA#1 Operational networks and systems are not appropriately
segregated.
Network and information systems supporting the operation of your essential
function(s) are segregated from other business and external systems by
appropriate technical and physical means (e.g. separate network and system
infrastructure with independent user administration). Internet services are not
accessible from network and information systems supporting the essential
function(s).
Network and information systems supporting the operation of your essential
function(s) are not appropriately segregated.

Page 8
ID_42 B5.b NA#2 Internet services, such as browsing and email, are accessible Internet services, such as browsing and email, are accessible from network and
from essential operational systems supporting the essential information systems supporting the essential function(s).
function.
ID_98 B5.b PA#1 Operational systems that support the operation of the essential Network and information systems supporting the operation of your essential
function are logically separated from your business systems, e.g. function(s) are logically separated from your business systems (e.g. they reside
they reside on the same network as the rest of the organisation, on the same network as the rest of the organisation but within a DMZ).
but within a DMZ. Internet access is not available from Internet services are not accessible from network and information systems
operational systems. supporting the essential function(s).
ID_64 B5.c CO PDF You hold accessible and secured current backups of data and You hold accessible and secured current backups of data and information
version. information needed to recover operation of your essential needed to recover operation of your essential function(s).
function
ID_43 B5.c NA#2 Backups are not frequent enough for the operation of your Backups are not frequent enough for the operation of your essential
essential function to be restored within a suitable time-frame. function(s) to be restored effectively.

Your restoration process does not restore your essential function(s) in a

suitable time frame.
Updating Principle C1 Remove 'logging data' where appropriate. Use 'log data' where appropriate.
terms Security
Monitoring
ID_101 C1.b PA#2 Privileged users can view logging information. Authorised users and systems can appropriately access log data.

ID_20 D1.a A#3 Your incident response plan is documented and integrated with Your incident response plan is documented and integrated with wider
wider organisational business and supply chain response plans. organisational business plans and supply chain response plans, as well as
dependencies on supporting infrastructure (e.g. power, cooling etc).

ID_65 D1.a PA#4 Your incident response plan is documented and shared with all Your incident response plan is documented and shared with all relevant
PDF version. relevant stakeholders stakeholders.

Page 9