CSF vs CAF - what's in a letter?

The cyber security industry boasts a huge range of frameworks, standards, certifications and accreditations. It can be hard to choose which one to follow, particularly for those organisations in niche sectors. This blog examines two of the most well-known approaches and explains how and where they fit in your cyber security programme.

The Cyber Security Framework (CSF) published by the National Institute for Standards and Technology (NIST, part of the US Department of Commerce) is a popular and prominent example of a dedicated cyber security framework. First published in 2014 and updated in 2018, it provides clear and reliable guidance for almost any organisation looking to measure and enhance its cyber security posture.

Meanwhile, in the UK in 2018, the National Cyber Security Centre (NCSC) published the Cyber Assessment Framework (CAF). The CAF was created to coincide with the UK government’s launch of the National Information Systems Regulations (NISR) - the legislation which enshrined the EU’s wider Directive into UK law (see our blog post here). In essence, NISR sets out the required cyber security posture for operators of “essential services”; those who provide energy, transport, health, drinking water and digital infrastructure on a national scale. The NCSC created CAF as a way to help organisations understand and meet their obligations under NISR.

Purpose

The most important difference between CSF and CAF is not their origins, but their purpose. Put simply, NIST’s CSF is a framework for “doing” cyber security, while NCSC’s CAF is a framework to assess cyber security compliance against NISR. The NIST CSF was designed to be used as widely applicable (and not just in the US), while the CAF was designed largely for operators of essential services in the UK. That’s not to say that CAF isn’t useful for other organisations - it’s actually an excellent benchmark for many organisations to aspire to, and its clarity and simple structure make it a great reference point for most organisations.

Structure

The NIST CSF uses three foundational concepts: the Core, Tiers and Profiles. The CSF Core contains 108 cyber security ‘outcomes’ - cyber security-related activities - from asset tracking to patching, malware detection and incident response. Tiers are then used to describe how well these activities are performed; from basic ad-hoc approaches to fully-automated and repeatable. These are then combined into Profiles; a carefully-selected subset of Core cyber security outcomes together with a description of how well they are being performed.

The Profile concept can be used to describe the current and desired state of an organisation’s cyber security posture. A simple process is provided which enables you to take your organisation from the current to the desired cyber security posture. Each cyber security outcome references other cyber security frameworks, including ISO/IEC 27001, NIST SP 800-53 and CIS CSC, so there is plenty of guidance on how to do each activity.

The NCSC CAF also follows a similar hierarchical structure. It is built around a set of high-level objectives, each of which contains a number of ‘principles’. For example, ‘Objective A: Managing Security Risk’ contains four principles; ‘Governance’, ‘Risk Management’, ‘Asset Management’, ‘Supply Chain’. Each principle has a set of simple criteria called Indicators of Good Practice (IGPs). These are used to determine whether your organisation has ‘Not achieved’, ‘Partially achieved’ or ‘Achieved’ that particular principle. Compliance with NISR means getting ‘Achieved’ across all the principles and objectives.

Uses

As mentioned, the NIST CSF is a tool set for measuring your current cyber security posture, describing where you want to get to, and then getting there. It can be applied to almost any organisation, or even to specific departments, functions or assets. It’s also not just a one-off; organisations are encouraged to maintain a constant cycle of improvement based on the CSF.

The NCSC CAF is quite clearly focussed around understanding and assuring compliance with NISR. However, it is an extremely powerful resource which many organisations can make us of. For a start, it defines a cyber security baseline based on NISR - the CSF leaves this up to the user to define. Not only is this a robust baseline which many organisations would do well to meet, the CAF’s IGPs themselves provide a clear and comprehensive definition of what “good looks like”. Want to know how security monitoring should be done? Go and look at the IGPs for ‘Objective C: Detecting Cyber Security Events’ and you’ll have a solid picture of what you should be doing.

Strengths and Weaknesses

The NIST CSF - Strengths:

• A planning tool: a process for how to plan and execute a cyber security change programme.
• Suitable for organisations of almost any size and business sector.
• Cross-references a wide array of popular cyber and information security frameworks.
• Supported and complemented by NIST’s massive library of excellent publications. There are also template profiles for particular business sectors.
• The framework document is a pdf and the Core is provided as an Excel spreadsheet, meaning you can download them, update, share and print.

The NIST CSF - Weaknesses:

• Doesn’t inherently align to a particular standard or baseline; i.e. even if you are doing everything perfectly, it doesn’t tell you how well you’re performing against (for example) ISO/IEC27001 etc, so you will need to use a framework mapping tool and probably generate lots of extra documentation.
• It can be hard to choose a manageable subset from the total of 108 different outcomes in the CSF CORe.

NCSC CAF - Strengths:

• Developed recently, directly aligned to NISR, aimed at critical sectors and designed to be easy to implement and use.
• References internal NCSC guidance as well as ITIL and ISO/IEC 27001.
• Focussed on achieving good cyber security outcomes, rather than a dry checklist/tick box exercise.
• Contains guidance on critical subjects: risk management, board/senior management communications and supplier dependencies
• The CAF overall is a robust cyber security baseline, and the IGPs are superb examples of “what good looks like”.

NCSC CAF - Weaknesses:

• CAF is not underpinned by a planning process in the way that the NIST CSF is. It is better suited to measuring (assuring) maturity/capability, rather than planning a change programme.
• The content is largely hosted on the NCSC’s website; there is no document you can (easily) download and take with you.

Which should I choose?

Hopefully the information above has explained the differences and will get you thinking in the right direction. If your organisation is an operator of essential services, we’d strongly encourage CAF in the first instance. Meanwhile, other organisations may wish to define their own baseline and use the NIST CSF to transition towards it.

But that’s not to say the two frameworks are exclusive. There is a lot of overlap in the CAF IGPs and the NIST CSF outcomes - and for a good reason - they’re both professionally written for a similar audience. If you’re struggling to define a good Target Profile under the NIST CSF, have a look at the CAF IGPs for inspiration. Equally, if you’re struggling with making the journey towards CAF compliance, have a look at the process in NIST CSF. In many cases, a tailored approach taking the most useful parts from each may be the best answer.

The Clear Cut Cyber approach

We have extensive experience of teaching and applying the NIST CSF and the NCSC CAF in a range of organisations and operational domains. Whether you’re looking to up-skill you or your staff, to make an informed decision about which framework is right for you, or to apply NIST CSF or NCSC CAF to your organisation or operations, Clear Cut Cyber can support you. Contact us.