Cyber Activity and Assurance Tracker maturity assessments
The Cyber Activity and Assurance Tracker (CAAT) helps MOD delivery teams manage and track cyber security activities and generate maturity reports.
The tracker is designed to help you manage cyber security outcomes through the capability’s lifecycle. It does not provide assurance or validation of your actions.
Secure by Design is a continual assessment and assurance approach. All capabilities will repeat maturity self-assessments as their maturity changes throughout the lifecycle, to understand risks, identify gaps and evidence maturity.
It is recommended the CAAT is used as a constant reference point and updated when a piece of work is delivered, or when the capability’s maturity in a certain area has changed.
The value of the self-assessments is in the analysis and usage of the maturity self-assessment report and the insights it provides.
Policy requires that you provide evidence to support your answers. When completing assessments, you should provide links to where evidence is stored. At a minimum, provide the title of the document, its version, date produced and where it is stored. If you are independently assessed you will need to demonstrate the detail of where evidence exists. For large documents you will need to further specify where the evidence can be found.
The outcomes shown in each maturity report are based on open standards and are applicable across the whole MOD. The reports are intended to help you demonstrate increasing security maturity to your stakeholders, for example, your Senior Responsible Owner (SRO), and guide improvement activities where required.
There are two question sets to complete for a capability's self-assessment, dependent on your projects stage in the CADMID/T lifecycle.
You can view the question sets on GOV.UK.
The tracker is designed to help you manage cyber security outcomes through the capability’s lifecycle. It does not provide assurance or validation of your actions.
Secure by Design is a continual assessment and assurance approach. All capabilities will repeat maturity self-assessments as their maturity changes throughout the lifecycle, to understand risks, identify gaps and evidence maturity.
It is recommended the CAAT is used as a constant reference point and updated when a piece of work is delivered, or when the capability’s maturity in a certain area has changed.
The value of the self-assessments is in the analysis and usage of the maturity self-assessment report and the insights it provides.
Policy requires that you provide evidence to support your answers. When completing assessments, you should provide links to where evidence is stored. At a minimum, provide the title of the document, its version, date produced and where it is stored. If you are independently assessed you will need to demonstrate the detail of where evidence exists. For large documents you will need to further specify where the evidence can be found.
The outcomes shown in each maturity report are based on open standards and are applicable across the whole MOD. The reports are intended to help you demonstrate increasing security maturity to your stakeholders, for example, your Senior Responsible Owner (SRO), and guide improvement activities where required.
There are two question sets to complete for a capability's self-assessment, dependent on your projects stage in the CADMID/T lifecycle.
You can view the question sets on GOV.UK.
Foundation Risk Management Question Set
Supports a capability with tracking progress against suggested risk management activities to provide the foundation for continual risk management and identify gaps in maturity. Completing this generates an assessment report that capabilities can use to demonstrate security maturity to stakeholders.
In-Service Question Set
This question set is based on the NIST Cyber Security Framework (CSF). This framework helps capabilities make risk-based decisions on which controls to implement. A capability may not need to implement all controls set out in the CSF, depending on the results of its risk assessment.
Benefits
Benefits of completing CAAT maturity assessments:
- aids communication with project stakeholders
- provides a snapshot of the project's security posture against best practices
- highlights areas for improvement and informing future security activities
- identifies risk and helps inform mitigations
- understanding of where risks are being managed
- maturity reports can be used to support investment appraisals
- an understanding of strengths and weaknesses in capability security maturity, which can be used to focus efforts for self-improvement
Outcomes
Outcomes of CAAT maturity assessments include:
- a report from each assessment, across various security areas
- an overview of the capability’s security posture, against recognised security best practice
Responsibility
Your MOD delivery team lead is responsible for CAAT maturity assessment.
When to conduct a maturity assessment
CAAT maturity assessments should be completed:
- throughout the capability lifecycle
- when a piece of work is delivered or when maturity increases