Public sector organisations need to learn from each other to make the most of the framework for cyber resilience, writes Phill Toms, Cloudflare One government specialist at Cloudflare
The Cyber Assessment Framework (CAF) has emerged as a prime resource for building cyber resilience in the public sector.
Developed by the National Cyber Security Centre, it provides guidance in handling high impact data and cyber security measures for organisations providing essential services to the UK, and is being embedded within key sectors including the NHS and local government.
While there is a growing recognition of the benefits it can provide, organisations are still working out the details of how they can be realised, and the best way to apply CAF in their own contexts.
I was involved in a recent UKA Live discussion on the issues with Katie Owen, cyber assessment framework owner at the Ministry of Housing, Communities and Local Government (MHCLG), Mike Scanlon, head of security assurance at the Department for Work and Pensions (DWP), and Helen Olsen Bedford, publisher of UKAuthorITy. It provided several insights on how public sector bodies can get the best from CAF, and the future opportunities it provides.
Among the key benefits is that it brings all the functions in cyber resilience together into a structured approach. This involves not just IT teams but officials from service teams, finance, commercial operations and other areas, going up to board level.
This brings out its strength as a collaborative tool to support conversations around managing risk and building a positive cyber security culture in an organisation.
Challenges, risk and responsibilities
It can be used to deal with specific challenges, reduce the risk in a range of processes and make it easier for people at all levels to fulfil their own responsibilities in resilience. The latter is an important factor given the tight resources, in terms of time and budgets, with which many public services are operating.
CAF also brings the demands on the multiple control points of resilience into one framework, making it easier to do things correctly and provide the relevant evidence. This includes identifying the risks in legacy IT and retiring devices and software that have reached the end of their lives.
A further benefit is in using the framework to build security in the supply chain. It can help in providing a single set of questions to ask suppliers about their security stance, also tailored to what the buying organisation needs, and in identifying some of the common factors in the chain.
Owen said this is a big factor and that MHCLG is using it to develop better visibility of the supply chain relationships and encourage more consistency in the conversations with suppliers.
Overall, it is seen as a mechanism for unifying best practice in cyber resilience, making it possible to sharply reduce the number of audits required in the different frameworks that have previously been used, and making it simpler to take all the necessary steps.
But the discussion also made clear there are challenging issues to address in applying the framework.
Burden of implementation
One of the main concerns is in the effort it takes to do so, which can impose a significant burden on smaller organisations with limited resources, and which are often less mature in their cyber security stance. Scanlon pointed out that, while DWP has dedicated cyber security teams to ensure compliance, its family includes smaller arm’s length bodies that need support.
In cases like this the assistance may come from a parent organisation, or from peer groups such as local WARPS (warning, advice and reporting points). This can help to provide savings in implementing CAF, but it needs to be tailored to an honest appraisal of the organisation’s strengths and weaknesses in security.
There will be complex issues to consider, most of which are not yet understood, with the rapid development of AI. This will pose new challenges for the CAF as it makes it easer for hostile actors launch complex attacks, but can also equip organisations with new cyber security tools, such as AI firewalls, data loss prevention solutions and tenant level controls.
These are areas in which Cloudflare is now developing solutions and which could be used within the framework.
A recurring question is whether the CAF should be mandatory for the public sector. Sentiment is generally against this, with a preference for taking it to organisations’ boards at an early stage to ensure they buy into its adoption, followed up by extensive engagement within organisations, including a willingness to take feedback, be ready to adapt the plans and to use internal ‘champions’.
Promoting collaboration
This reflects the value of CAF as a collaboration tool, promoting conversations between all of the stakeholders in resilience – extending to partner organisations – to build a full understanding of the risks and share experience and skills in building the defences.
There is also plenty of scope for organisatons to learn from each other, and possibly develop shared approaches to its implementation.
DWP and MHCLG are both making efforts to promote implementations: the former providing support for organisations in its family in a structured approach; the latter through a series of pilots with local authorities to establish what support they need, and developing tools and guidance. Owen described this as the beginning of a journey of learning more about the common challenges.
Two notes of caution should be added to these perspectives. One is to avoid the risk of building a technical debt through procuring too many solutions, which can a major headache to manage.
The other is to keep an eye on changes in encryption standards and the emergence of new cyphers to cope with quantum computing. This will require the development of new compliance measures as part of a cyber resilience stance.
But the outlook is generally positive, and Owen summed it up by conveying the eagerness in local government to share learnings on the application of the CAF.
“It’s a really exciting time with the opportunity in terms of collaboration,” she said. “And we very much understand the importance of how councils come together to look at common challenges, opportunities and what solutions may look like in the future.”
-
Watch the full discussion on-demand below
-
Download Cloudflare's white paper: CAF Compliance with Connectivity Cloud - Achieving compliance with Secure Access Service Edge (SASE)
