The UK’s National Cyber Security Centre (NCSC) has rolled out a series of updates to its Cyber Assessment Framework (CAF) aimed at assisting operators of Britain’s critical national infrastructure (CNI) in better managing their security risk profiles.
The enhancements, which take CAF to version 4.0, place greater emphasis on several areas of cyber risk management – including expanded coverage of AI-related risk – and mark the first update to CAF since April 2024, according the NCSC.
In the intervening months, adoption of the framework has expanded widely – it is now in use by nearly all UK bodies with cyber regulatory powers, as well as GovAssure, the assurance scheme that assesses CNI resilience in the UK.
“At the same time, the cyber threat to the UK’s CNI has continued to increase. Keeping pace with the evolution of attack methods is essential to close the widening gap between the escalated cyber threats to critical services, and our collective ability to defend against them,” an NCSC spokesperson wrote.
CAF 4.0 comprises four key enhancements. Firstly, the NCSC has added a new section on the importance of improving understanding of cyber criminal and threat actor methods and motivations in order to help organisations make better cyber risk decisions.
A second new section covers the increasingly important topic of ensuring that software products used within essential services are not only developed with a security-first mindset, but properly maintained as well.
Thirdly, the NCSC has updated sections of the CAF framework related to continuous security monitoring and threat hunting, in order to help organisations improve how they detect threats and move to mitigate them.
Finally, the national cyber authority has enhanced its coverage of AI-related cyber risks, scattered throughout the wider framework.
What is the CAF for?
The CAF was originally developed to help operators of CNI and other essential public services achieve and demonstrate appropriate cyber resilience as they navigate today’s dangerous and dynamic threat landscape.
Organisations that should be incorporating the CAF into their risk management profiles includes those operating in the energy, healthcare, transport, digital infrastructure and local and central government.
Cyber attacks against such organisations and those they work with can – and have – caused significant impacts to daily life in the UK. In the summer of 2024, for example, NHS services in South London were significantly disrupted by a ransomware attack on Synnovis, a supplier of pathology lab services. Other high-profile incidents, perhaps most famously included Colonial Pipeline cyber attack in 2021, which disrupted fuel supplies in the US.
The CAF serves as a stepping stone to helping such bodies meet often complex legal and regulatory requirements – NIS for example – by delivering a comprehensive framework that demonstrates how well organisations meet their mandated cyber outcomes.
The lastest round of updates was produced in collaboration with cyber regulators and other oversight bodies. The NCSC said their feedback throughout the process had been very helpful.
The NCSC will now look to the CAF’s next, fifth iteration, which is likely to have to account for new provisions that will be established in the Cyber Security and Resilience Bill, likely to be laid before parliament before the year is out.
These provisions may well include legal mandates that forbid operators of CNI from paying off cyber criminal ransomware gangs, and compulsory reporting mechanisms.
