NCSC CAF
the UK Cyber Assessment Framework for essential services

The NCSC Cyber Assessment Framework explained

The Cyber Assessment Framework, published by the National Cyber Security Centre, is the UK framework used to assess the cyber resilience of organisations responsible for essential services and digital infrastructure. The CAF is structured around four objectives, fourteen principles, and thirty-nine contributing outcomes, each evaluated against indicators of good practice (IGPs) that describe what the assessor expects to see. The framework is outcome based rather than control based: the contributing outcomes describe the security state the in-scope service is expected to reach, and the assessor judges whether the evidence supports that state.

The CAF is the assessment backbone underneath several UK assurance regimes. The Network and Information Systems Regulations apply CAF expectations to Operators of Essential Services and Relevant Digital Service Providers across sectors, with sector regulators inheriting and sometimes profiling the framework for their populations. GovAssure, the cross-government cyber security assurance scheme run by the Cabinet Office with NCSC technical authority, applies CAF-aligned reviews to government departments and arms-length bodies. Critical national infrastructure operators outside formal NIS designation increasingly use the CAF as a common reference framework, especially where sector regulators expect a comparable cyber assurance picture.

Who the CAF applies to and how the in-scope population is determined

The CAF in-scope population covers four broad routes. The route into the cycle determines the regulator, the cadence, and the profile (baseline or enhanced) the service is being held to. The CAF itself is technology and sector neutral; the route into it is what makes the cycle sector specific.

The four objectives, fourteen principles, and thirty-nine contributing outcomes

The CAF is built as a tree. Four objectives sit at the top, each containing principles, and each principle containing contributing outcomes. The contributing outcomes are the unit of assessment: the assessor scores each one against the indicators of good practice attached to it, and the per-outcome scores roll up into the principle and objective view. The framework is designed to be navigable end to end without secondary reference material, and the in-scope organisation is expected to follow it at the same level of granularity the assessor uses.

How contributing outcomes, IGPs, and CAF profiles interact

The mechanics of CAF scoring matter because the framework is not a binary checklist. The assessor reads the contributing outcome, weighs the IGPs underneath, and makes a judgement on Achieved, Partially Achieved, or Not Achieved against the profile (baseline or enhanced) the service is being held to. The same contributing outcome can be Achieved under a baseline profile and Partially Achieved under an enhanced profile because the IGP bar is higher; the artefact has not changed but the standard the artefact is judged against has.

The CAF assessment lifecycle in practice

A CAF cycle runs as a structured assessment, not a one-off review. The work happens in phases that build on each other, and the engagement record carries forward across cycles so the next iteration starts from the prior baseline rather than a blank page. The lifecycle below is the pattern most CAF cycles follow under both NIS-route and GovAssure-route reviews; the regulator-specific procedural detail varies by sector.

1. 1Confirm the in-scope essential service or system, the regulator or assurance route into the CAF cycle, the profile (baseline or enhanced) the service is being held to, and the assessor running the cycle.
2. 2Build the engagement record: the named accountable executive, the security function point of contact, the cycle dates, the prior CAF profile version (if any), and the artefacts already in place from earlier reviews.
3. 3Walk each contributing outcome with the IGPs in front of the team; collect evidence per IGP, identify gaps, and decide a draft Achieved, Partially Achieved, or Not Achieved per outcome with the rationale captured at the time rather than reconstructed during write-up.
4. 4Triage gaps into remediation actions with owners and deadlines; tie each action to the contributing outcome it raises against the profile so the post-cycle action register stays auditable rather than detaching from the framework.
5. 5Produce the CAF assessment report: the per-outcome scoring, the IGP-level evidence, the gap analysis, the remediation plan, and the version of CAF the cycle followed. The assessor signs the report and the in-scope organisation acknowledges acceptance.
6. 6Run the remediation work between cycles, refresh the CAF profile against the new evidence, and roll the engagement record forward so the next cycle inherits the prior IGPs, prior gaps, and prior remediation status as starting context rather than a blank page.

Where penetration testing and red team evidence land inside the CAF

Three contributing outcomes routinely consume penetration testing and adversary simulation evidence: B4 (system security), C1 (security monitoring), and C2 (proactive security event discovery). The CAF expects to see test scope, findings, remediation evidence, and retest outcomes that link back to the in-scope essential service rather than a generic test report bolted onto the submission. Holding the test record on the same workspace as the CAF engagement keeps the line between finding and contributing outcome traceable.

The wider penetration testing operating model that produces this evidence is covered in the penetration testing workflow and the red teaming workflow. For programmes that need a continuous discovery cadence to evidence outcome C2 between formal CAF cycles, the continuous penetration testing workflow keeps the coverage record and the proactive hunting cycle visible against the same engagement record the CAF assessor reviews.

Tagging findings against the MITRE ATT&CK taxonomy sharpens the evidence narrative under Objective C and aligns CAF assessment work with regulator-led intelligence-led testing regimes. The MITRE ATT&CK framework page covers the tagging discipline end to end.

Evidence the assessor expects to see, organised against the framework

CAF cycles that struggle on submission usually struggle because the evidence is scattered across drives, ticketing systems, and email threads, with no clear line from contributing outcome to the artefact that proves it. Build the evidence pack as the work happens, retain raw evidence alongside the structured engagement record, and tie every artefact back to the contributing outcome and IGP it supports. The CAF assessment report reads the way the underlying record reads.

How the CAF relates to NIS2, DORA, ISO 27001, and the wider UK regime

The CAF is one assessment framework inside a wider regulatory picture. Groups that operate across the UK and the EU, or across multiple sectors, usually find that a single underlying body of evidence satisfies several regimes when it is structured against contributing outcomes rather than against a single submission template. The relevant comparison points include:

• The NIS2 framework page covers the EU successor regime to the NIS Directive that the UK NIS Regulations were aligned with. Many UK groups in scope of the CAF are simultaneously in scope of NIS2 for their EU operations, and the contributing outcomes underpinning a CAF cycle map cleanly against the NIS2 risk management measures.
• The DORA framework page covers the EU Digital Operational Resilience Act for the financial sector. UK financial firms that report under CAF for their UK obligations often map the same evidence base into DORA reporting where they operate across the EU.
• The ISO 27001 framework page covers the international information security management system standard. Many CAF contributing outcomes can be evidenced from ISO 27001 Annex A controls; an organisation with a mature ISMS already holds most of the artefacts a CAF cycle expects.
• The CBEST framework page covers the Bank of England intelligence-led testing regime for UK financial services. The CBEST closure pack feeds directly into CAF outcome C2 (proactive security event discovery) and B4 (system security) for in-scope financial entities. The TIBER-EU framework page covers the EU equivalent.
• The Cyber Essentials framework page and the Cyber Essentials Plus framework page cover the NCSC baseline scheme that smaller UK organisations use when CAF is not the right fit; CAF and Cyber Essentials are complementary rather than alternative.

Where SecPortal fits in the CAF workflow

SecPortal is the operating layer for the CAF engagement, not a replacement for the assessor, the regulator, or the in-scope organisation accountable for the contributing outcomes. The platform handles scope, evidence per outcome, gap analysis, remediation tracking, and the audit trail so the cycle runs as a structured workflow rather than a mailbox of attachments. The same workspace that hosts the CAF cycle hosts the penetration testing, vulnerability scanning, and incident response evidence the contributing outcomes consume, so the line from artefact to outcome stays traceable.

The remediation work between cycles is where most of the leverage lives. Findings raised against contributing outcomes need owners, deadlines, and verification evidence that walks back to the IGP they affected. The remediation tracking workflow keeps that line auditable; the retesting workflow keeps the verification evidence paired to the original finding rather than opening a parallel record. The compliance audits workflow covers the wider audit cycle that CAF, ISO 27001, and SOC 2 share at the operating layer.

For consultancies delivering CAF assessments to in-scope clients, the security consultants workspace bundles the platform with branded client portals and AI report generation so the CAF assessment report reads as polished as the work behind it. For internal security teams running the CAF cycle in-house against their own essential services, the internal security teams workspace covers the same mechanics from the in-scope-organisation angle.

For programmes that want continuous detection and trend evidence between CAF cycles, the continuous monitoring capability and the attack surface management capability produce the cadence and coverage record that outcome C2 (proactive security event discovery) is expected to evidence. For analytical context on how findings age across remediation cycles, the aging pentest findings research covers what tends to happen to CAF gap actions when the cycle does not carry forward against a structured engagement record.