UK NCSC updates Cyber Assessment Framework as CNI sector faces software supply chain risks, cyber resource challenges

The UK’s National Cyber Security Centre (NCSC) has released a new version of the Cyber Assessment Framework (CAF). The CAF supports critical national infrastructure (CNI) organisations that are subject to the Network and Information Systems (NIS) regulations, and organisations managing cyber-related risks to public safety. It comes as new research reveals that the UK CNI sector is struggling to address software supply chain risks and cyber skills shortages.

UK NCSC continues risk-based approach to cyber resilience

The CAF is intended for use by UK organisations that are responsible for services and activities that are of vital importance and aims to help improve their cybersecurity. In the latest version of the CAF (3.1), the UK NCSC has focussed on language revisions to improve clarity and consistency in the Framework for the Principles, their Contributing Outcomes, and Indicators of Good Practice (IGPs), it stated on its website. “A more substantial change, following the UK government placing the CAF at the heart of the new government Cyber Security Strategy and consequently its growing use by public sector organisations, introduces a Partially Achieved level to the IGP for Media/Equipment sanitisation in recognition of the risk to data confidentiality that public sector organisations manage.”

The revision has been carried out in full consultation with NIS regulators and all other interested parties, the NCSC stated. “During this latest review the importance of using the supporting guidance alongside the framework came to the fore. We would encourage all users to make sure they have both open when they are using the CAF – the additional context within the guidance really helps in interpreting the framework.”

The NCSC added that it continues to consider whether the CAF remains reflective of its users following a change to the threat and the expansion of use into new sectors, stressing that any future changes will remain outcome focussed allowing organisations to take a risk-based approach when considering their cyber resilience.

UK CNI sector facing software supply chain and cyber resource challenges

The framework update comes as new research from cybersecurity vendor Trellix revealed that organisations in the UK CNI sector are struggling to overcome certain barriers hampering their cyber defences. Findings are from the vendor’s Cyber Readiness Report which surveyed 200 cybersecurity professionals from government agencies and critical infrastructure providers in the UK, Germany and France. These included organisations operating in the electricity, water, oil and gas, telecommunications and network, public and private healthcare, transportation, and distribution spaces.

Of the UK respondents, 41% identified lack of resources as one of the biggest barriers to implementing new cybersecurity solutions, whilst 39% identified a lack of trusted partner vendors to assist with implementation. Furthermore, 76% of respondents identified software supply chain risk management policies and processes as extremely or highly difficult to implement, and only 39% claimed to have fully implemented such practices.

Almost 80% of those surveyed also voiced concerns that there has historically been little oversight over how cybersecurity products themselves are developed and where, whilst 51% would support government mandates demanding cybersecurity standards for software. Overall, 86% of respondents stated that there is room for improvement in terms of the level of partnership between government and organisations in terms of overcoming cyberthreats.

Commenting in a press release, Fabien Rech, vice president EMEA for Trellix, said, “Government-led initiatives have an important role to play, but it will also be down to organisations across every sector – particularly those in critical infrastructure – to facilitate the sharing of threat intelligence as well as make the most of advanced cybersecurity technology and the adaptive protection it enables.” The government and UK organisations will need to not only collaborate, but also ensure their security teams are able to respond quickly with security that spots, stops, and adapts quickly to incoming threats, he added. “This will be core to government agencies and critical infrastructure providers remaining resilient and ready to fend off new attacks which come their way.”