NCSC CAF vs NIST CSF 2.0: Comparison & Mapping
Learn how NIST CSF 2.0 and NCSC CAF differ, where they overlap, and how UK CNI organisations can map between them to reduce duplication.
Ben Rose
Director
Why this comparison matters for UK organisations
If you operate Critical National Infrastructure (CNI) in the UK, or provide services into regulated sectors such as defence, energy, transport or government, you are increasingly likely to encounter both the NIST Cybersecurity Framework (CSF) 2.0 and the NCSC Cyber Assessment Framework (CAF).
Your risk owners, board sponsors, and security teams may already be working to the NIST CSF 2.0, especially if your organisation has a global footprint or holds US-facing contracts. At the same time, your UK regulators, clients, and sector assurance regimes expect alignment with the NCSC CAF.
The question is no longer "which framework?" It is: what do they actually do differently, where do they overlap, and how much of your existing programme can you reuse?
What each framework is designed to do
| NIST CSF 2.0 | NCSC CAF | |
|---|---|---|
| Origin | US National Institute of Standards and Technology | UK National Cyber Security Centre |
| Primary audience | Organisations of any size, any sector, globally | UK CNI operators and their supply chain |
| Core purpose | Voluntary risk management framework | Regulator-facing assurance and assessment framework |
| Scope | Enterprise-wide cybersecurity governance | Cyber resilience of essential functions and services |
| Structure | Six functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER | Four objectives: Manage security risk, Protect against cyber attack, Detect cyber security events, Minimise the impact of cyber security incidents |
| Maturity approach | Informative references and implementation examples; outcome-oriented rather than purely prescriptive | Indicators of Good Practice (IGPs); regulator-issued profiles define required maturity |
| Assessment | Self-assessment or third-party audit (voluntary) | CAF-based assessment used by competent authorities to assess compliance with the UK NIS Regulations (Network and Information Systems Regulations 2018) |
| Regulatory driver | Voluntary; often contractually mandated in US supply chains | Used by competent authorities to assess compliance with the UK NIS Regulations |
Where they overlap
Both frameworks cover the same fundamental territory: understanding your assets, protecting them, detecting incidents, responding effectively, and recovering with resilience. The mapping is not one-to-one, but it is close enough to save significant work.
Organisations with mature NIST CSF or ISO 27001 programmes are often surprised by how much existing evidence can be reused during a CAF assessment.
Both also place strong emphasis on governance. NIST CSF 2.0 elevated GOVERN to a top-level function. CAF treats management of security risk as its first objective. Neither framework is purely technical; both expect board-level accountability, documented risk appetite, and clear ownership.
Where they diverge
The most important distinction is the concept of the essential function.
NIST CSF 2.0 is designed to improve enterprise-wide cybersecurity posture. It asks: how well are we managing cyber risk across the organisation?
CAF is designed to protect the essential function — the specific activity or service whose loss would cause serious harm to the UK. It asks: how resilient is this particular function against cyber attack, and can it continue operating under stress?
This changes how you scope your programme. Under NIST, you might secure the whole estate. Under CAF, you must first identify the essential function, then trace the systems, people, and dependencies that directly support it, and test resilience against targeted disruption to that function.
CAF also requires you to demonstrate that your controls are effective in practice, not just documented. An assessor will look for evidence that protections are implemented, monitored, and regularly tested — and that you can show what happened when they were exercised.
Assessment context
NIST CSF 2.0 assessments are typically voluntary or contractual. You can self-assess, use a third party, or benchmark against the framework without any external validation. The value is internal: clearer risk visibility, better board reporting, and structured improvement.
CAF assessments are regulatory. For UK CNI operators, they are mandatory under the UK NIS Regulations. The assessment is conducted against a regulator-issued CAF profile that specifies which IGPs are in scope and the required maturity level for each. You must produce evidence. The assessor will probe it. The output informs regulatory oversight and can lead to enforcement if gaps are not addressed.
What this means in practice
If you are a UK CNI operator with an existing NIST CSF 2.0 programme, you do not need to start again. Much of your work maps across. But you will need to:
- Re-scope around your essential function, not the whole enterprise
- Ensure your evidence is assessor-ready, not just internally documented
- Add CAF-specific elements such as IGP coverage, profile alignment, and regulator engagement
If you are building a CAF programme from scratch, NIST CSF 2.0 remains a useful reference for structuring your underlying security controls — particularly GOVERN, IDENTIFY, and PROTECT. But the CAF profile and assessment process must drive your priorities.
What about your supply chain?
Many organisations are now required to demonstrate CAF alignment not just for themselves, but for their critical suppliers. If you deliver into UK CNI, your customers may ask for CAF evidence as part of procurement or assurance. Equally, if you are a supplier with a mature NIST programme, understanding how that maps to CAF can accelerate contract negotiations and reduce duplicated effort.
Practical playbook for organisations holding both
- Map your current state. If you have NIST CSF 2.0 or ISO 27001 in place, run a gap analysis against your regulator's CAF profile. Identify where evidence already exists and where it needs to be strengthened or re-scoped.
- Identify your essential function. Work with operational leaders to define the specific service or activity whose loss would cause serious harm. This is the anchor for your entire CAF scope.
- Align evidence to IGPs. Ensure your policies, controls, and testing records directly address the IGPs in your profile. Cross-reference NIST functions and ISO controls where they apply.
- Exercise against the essential function. Run tabletop and technical exercises that simulate disruption to the essential function specifically, not just generic cyber incidents. Test detection, response, continuity, and recovery in sequence.
- Prepare for assessor engagement. Document not just what you do, but how you know it works. Include monitoring data, test results, and evidence of continuous improvement.
Bringing the two frameworks together
NIST CSF 2.0 and CAF are not competing frameworks. For most organisations, the challenge is not choosing between them but understanding how they fit together. NIST provides a flexible structure for managing cyber risk, while CAF provides a framework for demonstrating resilience against the outcomes regulators and critical infrastructure operators care about most.
Organisations that approach them as complementary frameworks can often reuse a significant proportion of their existing controls, evidence and governance processes, reducing duplication while improving assurance.
How P3M Works helps
We support UK CNI operators and their supply chains with:
- CAF readiness assessments and gap analysis
- Mapping of existing NIST, ISO 27001, and cyber assurance programmes to CAF profiles
- Essential function scoping and resilience testing
- Regulator engagement and assessor readiness support
- Cyber governance support
If you would like to understand how your current NIST, ISO 27001 or cyber assurance activities align with CAF, we can help identify where you already have evidence, where the gaps are, what is likely to satisfy an assessor, and what needs to change before an assessment.
We typically begin with a short discovery and alignment session to assess your current position, identify gaps and build a practical roadmap forward.