One of the key objectives of the NIS Directive is to ensure that Operators of Essential Services (OES) take appropriate and proportionate technical and organisational measures to manage the risks to the security of network and information systems which support the delivery of essential services. As outlined here, OES will be required to meet a set of fourteen NIS cyber security principles written in terms of outcomes ie. specification of what needs to be achieved rather than exactly what needs to be done.
The Directive also requires that the NIS Competent Authorities (CAs) have the capability to assess the extent to which OES are achieving the outcomes specified by the NIS principles. NCSC has worked with government departments and CAs to develop an initial version of a Cyber Assessment Framework (CAF), intended to assist in achieving effective security assessments. The CAF is based on structured sets of Indicators of Good Practice (IGPs) and is described in more detail below. The CAF itself can be found here.
While NCSC has led on the development of the CAF, the details of its use in a sector covered by the NIS Directive (including whether it will be used at all) is a matter for the sector CA. OES are strongly advised to engage with their sector CAs on plans for the use of the CAF in their sector. It should also be noted that, since NCSC has no regulatory responsibilities under NIS, regulatory assessments, whether or not based on the CAF, will not be carried out by NCSC.
CAF Requirements
The CAF has been developed to meet the following set of requirements:
- provide a suitable framework to assist NIS CAs in carrying out assessments as required by the Directive
- maintain the outcome-focused approach of the principles and discourage assessments being carried out as tick-box exercises
- be compatible with the use by OES of appropriate existing cyber security guidance and standards
- enable the identification of effective cyber security improvement activities
- exist in a baseline version which is sector-agnostic
- be extensible to accommodate sector-specific elements as may be required by CAs
- enable the setting of meaningful target security levels for OES to achieve, reflecting a CA view of appropriate and proportionate security
- be as straightforward and cost-effective to apply as possible
CAF – Outline Approach
Each top-level NIS principle defines a fairly wide-ranging cyber security outcome. The precise approach organisations adopt to achieve each principle is not specified as this will vary according to organisational circumstances. However, each NIS principle can be broken down into a collection of lower-level contributing cyber security outcomes, all of which will normally need to be achieved to fully satisfy the NIS principle.
An assessment of the extent to which an organisation is meeting a particular NIS principle is accomplished by assessing all the contributing outcomes for that principle. In order to inform assessments at the level of contributing outcomes:
- each contributing outcome is associated with a set of indicators of good practice (IGPs) and,
- using the relevant IGPs, the circumstances under which the contributing outcome is judged ‘achieved’, ’not achieved’ or (in some cases) ‘partially achieved’ are described.
For each contributing outcome the relevant IGPs have conveniently been arranged into table format, as illustrated here. The resulting tables, referred to as IGP tables, constitute the basic building blocks of the CAF. In this way, each NIS principle is associated with several IGP tables, one table per contributing outcome.
Using CAF IGP Tables
Assessment of contributing outcomes is primarily a matter of expert judgement and the IGP tables do not remove the requirement for the informed use of cyber security expertise and sector knowledge. Indicators in the IGP tables will usually provide good starting points for assessments but should be used flexibly. Conclusions about an organisation’s cyber security should be only be drawn after considering additional relevant factors and special circumstances.
The ‘achieved’ (GREEN) column of an IGP table defines the typical characteristics of an organisation fully achieving that outcome. It is intended that all the indicators would normally be present to support an assessment of ‘achieved’.
The ‘not achieved’ (RED) column of an IGP table defines the typical characteristics of an organisation not achieving that outcome. It is intended that the presence of any one indicator would normally be sufficient to justify an assessment of ‘not achieved’.
When present, the ‘partially achieved’ (AMBER) column of an IGP table defines the typical characteristics of an organisation partially achieving that outcome. It is also important that the partial achievement is delivering specific worthwhile cyber security benefits. An assessment of ‘partially achieved’ should represent more than giving credit for doing something vaguely relevant.
The following table summarises the key points relating to the purpose and nature of the indicators included in the CAF IGP tables
Indicators in CAF IGP are… | Indicators in CAF IGP tables are not… | |
Purpose | …intended to help inform expert judgement. | …a checklist to be used in an inflexible assessment process. |
Scope | …important examples of what an assessor will normally need to consider, which may need to be supplemented in some cases. | … an exhaustive list covering everything an assessor needs to consider. |
Applicability | …designed to be widely applicable across different organisations, but applicability needs to be established. | …guaranteed to apply verbatim to all organisations. |
Interpreting CAF Output
The result of applying the CAF is 39 individual assessments, each one derived from making a judgement on the extent to which a set of IGPs reflects the circumstances of the organisation being assessed. The CAF has been designed in such a way that a result in which all 39 contributing outcomes were assessed as ‘achieved’ would indicate a level of cyber security some way beyond the bare minimum ‘basic cyber hygiene’ level.
It is the responsibility of the CAs (not NCSC) to define what represents appropriate and proportionate cyber security for NIS Directive purposes. In particular, any target set for OES to achieve in terms of CAF results is for the sector CA to define.
NCSC is discussing with CAs an approach to interpreting CAF output based on identifying those contributing outcomes considered most important for an OES to achieve in order to manage security risks to a sector’s essential services. Those prioritised contributing outcomes would correspond to an initial CA view of appropriate and proportionate cyber security in their sector. The subset of contributing outcomes identified as the most important in this way would represent an example of a CAF profile – something that could be used as the basis for setting a target for regulated organisations to achieve.
In practice a CAF profile would consist of a mixture of some contributing outcomes to be met at ‘achieved’, some at ‘partially achieved’ and perhaps some (representing cyber security capabilities not appropriate at the level of the profile) identified as ‘not applicable’.
Making the CAF Sector Specific
The initial version of the CAF is sector agnostic in the sense that the contributing outcomes and IGPs are designed to be generally applicable to all OES across all NIS sectors. It is possible that there will be a need for some sector specific aspects of the CAF, which could include the following:
i. Sector-specific CAF Profiles
As mentioned in the section on defining CAF profiles, it will be a decision for the relevant CA to put a regulatory interpretation on CAF results. Some target profiles may well be sector specific.
ii. Sector-specific Interpretations of Contributing Outcomes/IGPs
It may be necessary in some cases for a sector-specific interpretation of contributing outcomes and/or IGPs to better clarify meaning within the sector.
iii. Sector-specific Additional Contributing Outcomes/IGPs
There may be circumstances in which sector-specific cyber security requirements cannot be adequately covered by an interpretation of a generic contributing outcome or IGP. In these cases, an additional sector-specific contributing outcome or IGP may need to be defined.
NCSC will be continuing to work with the NIS CAs to determine if sector-specific aspects of the CAF are required, and to assist in introducing changes as necessary.
Source: NCSC