Assess your risk

Do regular assessments

To keep your capability or service secure, you need to check what has changed and that your risk strategy is still working.

When you need to do assessments

How often you do assessments depends on your capability or service, but you need to do one at least every 3 months.

You must also do an assessment when:

  • you have made changes
  • new threats emerge
  • security breaches happen

The Cyber Activity and Assurance Tracker (CAAT)

The Cyber Activity and Assurance Tracker (CAAT) is the tool for MOD delivery teams to:

  • manage and track cyber security activities
  • create assurance reports

The tracker helps teams to manage cyber security outcomes through their lifespan.

The outcomes are based on open standards used across the MOD. The tracker’s reports help delivery teams to demonstrate increasing maturity to their stakeholders.

Using the tracker

Registration

The CAAT is on MODNET and is for a capability classified as OFFICIAL, including SENSITIVE.

To create an account and register your capability, access the CAAT.

If your capability or service is classified above OFFICIAL, you will need to register on DART S.

A MODNET (S) version of the CAAT will be available in 2025.

Once you have an account on the CAAT, you can:

  • register a capability, which is a programme, project or system
  • add multiple admins
  • add multiple users
  • complete assessments and create reports

Completing assessments

Choose the right cyber security assessment form:

  • foundation stage
  • in development and in-service stage

Foundation stage

The foundation stage asks 54 questions about the planning and development of security.

These questions are based on the PREPARE step from the NIST Risk Management Framework.

This stage should be completed during the early phases of a programme lifecycle. It is useful at any stage to check maturity.

In development and in-service stage

The in development and in-service stage is based on the NIST Cyber Security Framework (CSF) and identifies 108 security outcomes the delivery team should aim to achieve.

The questions help MOD delivery and support teams:

  • think about cyber security
  • identify outcomes they need to achieve
  • track their maturity against these outcomes

Update your assessments

The CAAT is designed for delivery and support teams to use regularly. Updating the CAAT tracks the progress and status of the capability's cyber security.

Get your team involved in doing assessments as it’s important to accurately check cyber security.

The CAAT should be regularly updated and reviewed by your team at least every 3 months, ideally as part of capabilities standard risk management processes.

Using the assessments

The Secure by Design assessments guide MOD delivery and support teams to manage cyber security through the capability's lifespan.

You need to be able to understand and provide evidence of:

  • areas of strength and those that require improvement
  • planning future security activities
  • identifying areas of potential risk
  • sharing information with stakeholders
  • protecting systems and information
  • detecting and respond to incidents

The CAAT does not let you upload documentation or evidence. You will need to maintain evidence separately and provide this when requested to support the statements you make in the CAAT.

Share your assessments

Your Senior Responsible Owner (SRO) needs to review and endorse assessment reports through a statement of assurance.

Only SRO endorsed reports can be submitted as evidence at major programme milestones such as business case reviews or Authorisation to Operate (AtO).

Reports of assessments are designed to be shared with stakeholders and support conversations about cyber security, especially between stakeholders of connecting systems.

The assessment report and statement of assurance are a high-level overview of a capability's level of cyber security. 

Depending on your capability, stakeholders may need other information and evidence.

Make sure you classify assessment reports correctly. Find out how to classify information.

What you need to cover

Your assessments need to cover the systems and components you use, including external ones.

Make sure the assessments include:

  • a review of your capability or service against the right level of risks
  • risks of sharing your capability or service with other nations
  • an action plan with named owners and dates for completion or review
  • risks that need to be tracked or escalated

Get your team involved in assessments to accurately record the security status of your capability or service.

Regular reviews of your assessments will help you prioritise cyber security activities.

Published August 2024