What’s Changed with Version 3.2 of the Cyber Assessment Framework?

Version 3.2 of the CAF is very much an evolution rather than revolution – almost half of the amendments that have been introduced involve either minor drafting corrections or additions that clarify the existing requirements.  

However, there have been some significant changes in relation to identity and access management, privileged user management, and device security to bring them more closely into line with current NCSC advice and recognised best practice. These changes include: 

Extending the Reach of Multi-Factor Authentication

Meeting the ‘Achieved’ level for Contributing Outcome B2.a (Identity Verification, Authentication and Authorisation) now requires the use of multi-factor authentication (or alternative additional authentication means) for all user access (including all remote access), rather than being limited to accounts associated with privileged access.  

In addition, reaching the ‘Partially Achieved’ level for Contributing Outcomes B2.a and B2.c (Privileged User Management) will now require that ‘strong’ additional authentication mechanisms are used for privileged access to any networks or information systems that operate or support the delivery of essential functions, rather than being limited only to privileged access to ‘sensitive systems’ such as OT.  

These changes are unsurprising given the NCSC has been issuing recommendations in this space for a long time, and the risks of relying solely on password-based authentication are well understood. It is also important to remember that, as the CAF is outcome focused, organisations may be able to achieve the spirit of the intended outcome in a variety of ways that don’t directly require the introduction of MFA or comparable technologies. However, for some organisations, these amendments will require careful analysis and potentially significant changes to authentication policies and technologies. 

More Stringent Controls on Privileged Access 

The CAF has required that privileged access takes place only via dedicated, corporately managed devices for some time. However, Version 3.2 of the CAF now requires that privileged access takes place only via corporately owned and managed devices (Contributing Outcome B2.b – Device Management).  

Meeting the Partially Achieved level for Contributing Outcomes B2.b and B4.c (Secure Management) also now requires that administrative actions take place on devices ‘sufficiently separated’ from the activities of standard users. Meeting the ‘Achieved’ level for B2.b goes further, stating that privileged operations can only take place using ‘highly trusted’ devices such as Privileged Access Workstations. 

This change aligns with the latest NCSC guidance on secure system administration, including the principle that administrative actions should only be performed using devices that are trusted as much, or more, than the systems being administered (the ‘browse-down’ principle). 

There are a variety of ways of achieving this outcome, depending on your existing architecture and ways of working. However, if you do not currently have any meaningful separation between devices used for standard and privileged activities then meeting this requirement will require changes in your policies and standards, and system design/ implementation. Organisations that grant external third parties privileged access to their systems will also need to reflect carefully on their device management posture. 

Network Segregation and Internet Access 

Contributing Outcome B5.b (Design for Resilience) will now require that internet services are disabled for any ‘network and information systems supporting the essential function(s)’. More broadly, NCSC have also replaced references to ‘essential function(s)’ with ‘network and information systems supporting your essential function(s)’ in many other Indicators of Good Practice. 

Depending on your system architecture this may require you to carefully consider the scope of your essential function(s) and the systems that access or support them and assess whether this change will require the introduction of additional security controls within your organisation. 

There have also been several other notable changes, including specific provisions for generic accounts. If you want to dive into the detail of all of the changes NCSC maintain an excellent CAF Changelog. 

How Do I Comply with CAF v3.2? 

It’s important to restate a critical design philosophy that underpins the CAF – namely, that is outcome-focussed. That means the CAF should not be used as a compliance ‘checklist’. Where changes have been made in Version 3.2 of the CAF, you should not rush to tear up your existing cyber security controls and redesign your systems to meet the new wording.  

It's also important to remember that these changes may not (yet) apply directly to the sector you’re operating in. The NCSC’s version of the CAF is not the only game in town. Some Competent Authorities have taken their own ‘fork’ of the CAF that have been adjusted to reflect the specific requirements of their sector. For instance, the Civil Aviation Authority’s CAF for Aviation and the new ‘Objective E’ introduced by Ofgem. It may take some time for these ‘forks’ to be updated to reflect Version 3.2, and Competent Authorities might also make further amendments of their own. In short, you need to know which CAF you align to. 

In all cases you should take an outcome-focussed approach. Reflect carefully on how your organisation and systems align to the new wording and whether changes may be appropriate now or in the future, based on factors such as your operating environment, business objectives, threat profile, risk tolerance, and the sector you operate in. 

Will There Be Further Changes to the CAF? 

Keep your eyes peeled. The pace of technological change and the rate of evolution in the threat landscape show no signs of slowing. These will undoubtedly drive further changes to the CAF in the future. The NCSC have signalled clearly that they are planning for further amendments in order to maintain alignment with laws such as the NIS Regulations.