The National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) helps organisations assess and improve cyber resilience through structured objectives, principles, contributing outcomes and indicators of good practice. It provides a consistent basis for assessing whether essential services are adequately protected, particularly where essential functions and regulatory assurance are in scope.
On paper, CAF offers clarity. Applying it within live Critical National Infrastructure (CNI) environments is more complex.
CAF complexity in live environments
Most CNI organisations operate within systems that have evolved over time rather than being designed to meet modern security frameworks. Operational technology (OT) often sits alongside IT systems, supported by a mix of legacy infrastructure, third-party providers, and long-standing operational processes. These environments cannot simply be taken offline or re-engineered without consequence.
CAF acknowledges this to an extent. It is outcome-focused rather than prescriptive, allowing organisations to interpret how they meet each principle. However, that flexibility does not remove the need to reconcile those outcomes with operational reality.
A common initial approach is to treat CAF as a mapping exercise. Existing controls are aligned against CAF outcomes, gaps are identified, and documentation is developed to demonstrate compliance. This aligns with NCSC guidance, which positions CAF as a tool for self-assessment and regulatory assurance rather than a prescription of specific technical controls.
Mapping is only the starting point
The limitation of this approach becomes apparent when assessment moves beyond documentation. The question shifts from whether a control exists to whether it is effective within the environment it is meant to protect.
Asset management is a useful example. CAF Principle A1 requires organisations to understand and manage the assets that support essential services. In practice, this is rarely straightforward. CNI environments often contain assets that are partially documented or not centrally tracked, managed by third parties or inherited through supply chains, or embedded within operational processes that cannot be interrupted.
NCSC guidance on CAF highlights that understanding system dependencies is critical to resilience. In live environments, however, that understanding is often incomplete and must be developed iteratively rather than assumed at the outset.
Asset understanding has to be built
Similar challenges arise in areas such as access control and monitoring. CAF Principle B2 (Identity and Access Control) and Principle C1 (Monitoring) both assume a degree of centralised visibility and control that may not exist in fragmented or legacy environments. Implementing improvements in these areas requires careful consideration of operational constraints, particularly within OT systems where stability and availability take priority.
This aligns with broader industry guidance. The NIST Cybersecurity Framework similarly emphasises governance, identification, protection, detection, response and recovery in ways that reflect a specific risk environment, rather than applying controls uniformly without context.
Applying CAF effectively means starting from the current state rather than an assumed baseline. This often means building visibility and understanding before attempting to enforce new controls. Without a clear picture of the environment, introducing controls can create friction without improving security outcomes.
Evidence has to prove effectiveness
There is also a need to bridge the traditional divide between IT and OT. CAF does not treat these as separate domains in the way organisations historically have. Outcomes relating to identity, monitoring, and resilience span both, and gaps at the boundary can undermine overall assurance. IEC 62443 reinforces this, emphasising integrated security approaches across industrial control systems.
Evidence is another area where theory and practice diverge. CAF requires organisations not only to implement controls but to demonstrate that they are effective. In live environments, evidence is often fragmented across systems, teams, and suppliers. Logs may be distributed, processes informal, and third-party assurance not readily accessible.
CAF is intended to support meaningful assurance, not just documentation. That means focusing on evidence that demonstrates controls are operating as intended, not simply proving their existence.
Improvement needs to be incremental
Organisations that approach CAF in this way tend to see a gradual shift in how the framework is understood. It becomes less about compliance and more about developing a genuine picture of resilience. Conversations move from “do we have this control?” to “does this control work, and can we prove it?”
Applying CAF in live environments is not about forcing systems into a predefined model. It is about using the framework to guide incremental, defensible improvements that reflect operational realities, balancing ambition with pragmatism, and recognising that resilience is built over time rather than implemented in a single step.
Related Links:
