Skip to content
secruna
Get a Demo
NCSC CAF v3.2 GovAssure-ready in days, not months
NCSC Cyber Assessment Framework (v3.2, 2024)

The gateway cyber framework for UK gov, CNI and gov suppliers — automated.

Secruna ships the NCSC Cyber Assessment Framework v3.2 (2024) as a live rule book: 4 Objectives, 14 Principles, 31 Indicators of Good Practice with per-row evidence, a gap surface, and a 90-day audit trail. The output is a one-PDF / one-CSV bundle structured exactly the way a GovAssure assessor reads the assessment workbook — Objective, Principle, IGP, verdict, evidence. CAF is the gateway framework for UK central government, Critical National Infrastructure operators and gov suppliers; the same posture artefact drives verdicts across the UK Public Sector Pack (CAF + DS 05-138 + Secure by Design) so a single Secruna tenant covers all three.

Book a 30-min CAF scope call
Why CAF is the framework you start with

Three pressures push CAF up the UK cyber agenda — in this order.

CAF is not a tick-box list. It is the outcome-focused framework the NCSC built for UK essential services, then expanded into central government via GovAssure and into Critical National Infrastructure via the sector regulators. The cost of arriving at a GovAssure assessment without an evidence pack is measured in audit findings, remediation deadlines and procurement positions, not retainers.

Gateway for the UK public sector

Every UK government department and every Critical National Infrastructure operator is assessed against CAF. The GovAssure scheme — operational since 2023 — makes the assessment mandatory across central government and is rolling out across CNI through 2024-2025 via sector regulators (Ofgem, Ofwat, Ofcom, FCA, NHS England). UK government suppliers increasingly inherit the obligation through procurement clauses, especially on Cabinet Office and MoD contracts that touch essential-services data.

GovAssure mandate, public reporting

GovAssure outcomes feed into departmental annual reports and the Cabinet Office cyber assurance programme. A Not-Achieved IGP is a finding the assessor surfaces in the report; a Partially-Achieved IGP becomes a weakness with a tracked remediation plan due before re-assessment. The verdict labels follow the framework — Not Achieved, Partially Achieved, Achieved, Not Applicable — and the assessment workbook structures evidence by Objective, Principle and IGP. Turning up without an evidence pack means the IT and security teams scramble for weeks while the assessor waits.

Signal reuse — one tenant, three frameworks

CAF Objective B largely overlaps with Defence Standard 05-138 (Plan 100) and the UK Government Secure by Design checklist (Plan 101). One tenant cyber-posture artefact powers verdicts across all three frameworks — you do not pay for the same identity, encryption and logging signal three times. The marginal cost of adding CAF on top of an existing DS 05-138 or Secure by Design subscription is the rule-book matcher plus the CAF-shaped evidence pack; the cyber signals are already collected.

The five-step path

What you have to do at GovAssure assessment time, in order.

The same five gates apply to every framework Secruna covers, including CAF. Start at step one — the rest only make sense once the organisation knows which essential function is in scope and which systems support it.

  1. 1

    Discover

    Connect cloud accounts, the identity provider and GitHub. Secruna’s discovery worker collects the cyber-posture signal once and reuses it across every cyber compliance framework you subscribe to (CAF, DS 05-138, Secure by Design). The first scan almost always surfaces gaps the security team did not know were there — privileged accounts without MFA, retention windows shorter than 12 months, encryption posture drift on a small fraction of endpoints.

  2. 2

    Map to CAF

    The rule-book matcher evaluates each IGP against the latest posture artefact and assigns a verdict — Achieved, Partially Achieved, Not Achieved or Not Applicable. Verdicts cite the connector signal that drove them, so an assessor can trace the evidence from the IGP row back to the source control state.

  3. 3

    Close the gaps

    The §3 Gaps surface lists every Not-Achieved and Partially-Achieved IGP with the connector field that drove the verdict. Remediate at your own cadence; verdicts re-evaluate on every discovery run. The gap list is the same list the GovAssure assessor expects to see in the report, which means you are working off the assessor’s task list rather than guessing at it.

  4. 4

    Generate

    One click produces the evidence pack PDF and CSV. The audit trail captures the last 90 days of platform activity so the assessor sees the platform actively collecting evidence rather than a once-and-done snapshot. Filename follows the standard Secruna shape: secruna-ncsc-caf-evidence-{tenant}-{date}.pdf.

  5. 5

    Submit

    Hand the evidence pack to your GovAssure assessor alongside the standard workbook. The file is structured Objective → Principle → IGP so the assessor walks the framework in their natural order. Re-running after remediation is the same click — verdicts re-evaluate on every discovery run, so the pack is always current rather than a snapshot a quarter old.

Objective A — Managing security risk

Governance, risk, asset and supply chain — the organisational anchor.

What CAF asks. Objective A covers four Principles — A1 Governance, A2 Risk management, A3 Asset management and A4 Supply chain. The assessor is looking for board-level accountability, a documented risk management process, a current inventory of every asset that supports the essential function and a documented supplier risk regime with contractual flow-down.

What counts as compliant. A Board or executive committee that owns the cyber security posture, with documented minutes referencing risk and control decisions. A risk register reviewed on cadence with an assurance loop back to the Board. An asset register that is the single source of truth for systems supporting the essential function (no shadow services). A supplier register with each tier-1 supplier’s CAF-relevant assurance status recorded, plus contractual flow-down to tier-2 suppliers handling essential-function data.

What Secruna ships for Objective A. Rules under A1-01 (Board direction) and A1-02 (Roles + responsibilities) record the governance forum cadence and named accountable owner per tenant. A2-01 and A2-02 record the risk management process and assurance loop. A3-01 and A3-02 surface the asset inventory drawn from the connector estate. A4-01 and A4-02 capture supply-chain attestation and tier-2 flow-down. Each rule cites the relevant CAF Principle so the evidence pack lands at the right Objective heading without manual mapping.

See this in your dashboard at: /inventory?framework=ncsc_caf&objective=A filtered to Objective A IGPs, with per-IGP verdict and connector-signal citation surfaced.

Objective B — Protecting against cyber attack

The technical control surface — six Principles, the bulk of the IGPs.

What CAF asks. Objective B is the technical heart of the framework — six Principles covering B1 Service protection policies and processes, B2 Identity and access control, B3 Data security, B4 System security, B5 Resilient networks and systems and B6 Staff awareness and training. This is also the Objective that overlaps most heavily with Defence Standard 05-138 and Cyber Essentials Plus.

What counts as compliant. MFA enforced on privileged access and every remote-access entrypoint (B2). Data encrypted in transit on every external channel and at rest on every endpoint and SaaS store (B3). Hardened baseline configuration with documented vulnerability management and a patching SLA (B4). Network segmentation with deny-by-default boundaries, tested immutable offsite backups (B5). A recurring cyber awareness training programme with completion tracking (B6). A documented service-protection policy referenced from each of the above (B1).

What Secruna ships for Objective B. Read-only connectors against Microsoft 365 / Azure / Google Workspace / AWS that report MFA enforcement per identity, Conditional Access posture, encryption state per endpoint, DMARC / DKIM / SPF per domain, patch cadence per asset and backup posture per workload. The same posture artefact powers DS 05-138 and Secure by Design — so a tenant subscribed to all three frameworks pays for the signal collection once.

See this in your dashboard at: /inventory?framework=ncsc_caf&objective=B filtered to Objective B IGPs, with per-identity MFA state and per-endpoint encryption state surfaced.

Objective C — Detecting cyber security events

Visibility, monitoring and hunting — a partial-evidence Objective.

What CAF asks. Objective C covers two Principles — C1 Security monitoring and C2 Proactive security event discovery. The assessor is looking for 24x7 monitoring with documented use cases, tamper- evident log retention of at least 12 months and a proactive threat-hunting programme that goes beyond rule-based detection.

What counts as compliant. Audit logs retained for at least 12 months, stored in a tamper- resistant location, with documented monitoring use cases that cover identity events, endpoint events, network events and SaaS / cloud events touching essential-function data. A 24x7 monitoring capability — in-house SOC, MSSP, or hybrid — with a documented response runbook. A proactive threat-hunting cadence with results fed into the risk register.

What Secruna ships for Objective C. A connector-level signal pattern that detects whether audit-log forwarding is configured against the major SaaS and cloud platforms and whether retention is set to 12+ months. The SIEM-detection IGPs that require SOC-grade visibility ship as tenant self- attestations in v1 — the YAML carries a customer_description body explaining what evidence the assessor expects, and the dashboard prompts the compliance lead to attach the supporting record. A future plan can wire SIEM connectors if customer demand justifies the integration cost.

See this in your dashboard at: /inventory?framework=ncsc_caf&objective=C with retention state per source and self-attestation rows clearly flagged so the assessor sees the boundary between auto-evidence and tenant declaration.

Objective D — Minimising the impact of cyber security incidents

A response capability that has been exercised — not just written.

What CAF asks. Objective D covers two Principles — D1 Response and recovery planning and D2 Lessons learned. The assessor is looking for a current incident response plan, a resourced response and recovery capability, regular exercising and a documented lessons-learned cycle that drives measurable improvements back into the framework.

What counts as compliant. A documented incident response plan covering identification, containment, eradication, recovery and post-incident review. A named on-call role and a documented escalation path to leadership and the assessor. An annual exercise — tabletop is the floor, not the ceiling — with exercise notes and actions tracked through to closure. A lessons-learned process that feeds the governance review at Objective A and the risk register at A2. Evidence that the plan has been exercised, not just written.

What Secruna ships for Objective D. Rules under D1-01 (response plan), D1-02 (response and recovery capability) and D1-03 (testing and exercising) record the plan version, the named on-call role and the last exercise date per tenant. D2-01 and D2-02 capture root-cause analysis and improvement tracking. An evidence-pack section cites the plan, the exercise log and the lessons-learned tracker; a reminder schedule fires when the annual exercise approaches its due date.

See this in your dashboard at: /inventory?framework=ncsc_caf&objective=D with IR plan, exercise cadence and lessons-learned state surfaced per tenant.

UK Public Sector Pack

Three frameworks. One platform.

CAF is the gateway. The other two UK cyber frameworks stack on top — and because every cyber signal Secruna collects is shared across all three, the marginal cost of adding a second or third framework to a tenant subscription is close to zero.

NCSC CAF (this page)

Gateway for UK gov departments + CNI operators. Required by the GovAssure scheme since 2023. Outcome- focused: 4 Objectives, 14 Principles, 31 IGPs. Evidence pack is structured exactly the way a GovAssure assessor reads the workbook.

Defence Standard 05-138

MoD-vertical cyber security for defence suppliers — a profile-tiered subset of CAF Objective B with defence citations. Level 0 / 1 / 2 / 3 assigned per contract; evidence pack generated per profile. See DS 05-138 detail →

Secure by Design (UK Government)

Digital service security checklist for delivery teams inside gov. Overlaps with CAF Objective A governance and B service protection. Checklist-maturity shape (not rule-book), producing a Confidence Profile per tenant. See Secure by Design detail →

See where your CAF posture stands.
In 30 minutes.

A 30-minute scope call maps your tenant estate to the 14 CAF Principles and identifies which IGPs you can evidence from existing signals today and which need a tenant-supplied attestation. You leave the call with a concrete gap list and a path to a GovAssure-ready evidence pack.

Book a 30-min CAF scope callSee the DS 05-138 page

Or call our UK lead — we’re on +44 20 0000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)