Capability registration
Every capability, regardless of their lifecycle stage, must be registered on the Cyber Activity and Assurance Tracker (CAAT), as mandated by JSP 440 Leaflet 5C.
Capabilities already registered on DART should not re-register on CAAT. These capabilities will be migrated automatically.
Capabilities above OFFICIAL SENSITIVE should continue to register on DART S.
Capabilities above OFFICIAL SENSITIVE should continue to register on DART S.
There is further guidance on how to use the CAAT on MODNet.
It is not mandatory for systems to register on CAAT. However, you should cover the systems and components you use, including external ones, within assessments.
Suppliers are not responsible for registering capability’s on CAAT. They will need to work with their Defence contracting authority for this.
It is not mandatory for systems to register on CAAT. However, you should cover the systems and components you use, including external ones, within assessments.
Suppliers are not responsible for registering capability’s on CAAT. They will need to work with their Defence contracting authority for this.
Benefits
The benefits of registering your capability are:
- capability teams can track the progress and status of their cyber security maturity
- provides easy and common reporting to share information with their SRO (or suitable equivalent) and other stakeholders (for example, scrutiny community – who will require this to support approvals)
Outcomes
Your capability is registered on CAAT ready for self-assessments.
Responsibility
Your capability should be registered by:
- capability sponsor
- Senior Responsible Owner (SRO) or suitable equivalent
- delivery team lead
- delivery team security lead
When to register your capability
You should register your capability at pre-concept or concept stage.