GovAssure made the NCSC Cyber Assessment Framework the spine of UK government cyber assurance. The headline is the department-level assessment - but the part that quietly catches teams out is the supply chain.
The CAF is explicit about third parties. Objective A4 is entirely about supply chain risk management, and the protective outcomes under Objective B assume you can evidence the security of the systems and services others run on your behalf. You cannot claim a contributing outcome is ‘achieved’ if a critical supplier’s control is a black box.
That turns a department-level exercise into a supply-chain-level one. The lead government department wants to see not just your controls, but a defensible view of the suppliers your essential services depend on.
Most teams hit the same three walls:
None of these are solved by a bigger spreadsheet. They are solved by capturing evidence once, assessing consistently, and keeping the picture current between submissions.
Profile and scope first: not every supplier warrants the same depth, so tie assessment depth to criticality. Assess against the CAF natively, at IGP level, so judgements are defensible. Let evidence inherit across contributing outcomes - capture once, satisfy many. Then assemble the GovAssure Stage 1-4 pack from that evidence rather than rebuilding it.
Done this way, the next GovAssure cycle is a review, not a rebuild - and the supply-chain question has an answer you can stand behind.
Occasional, practical notes on UK public-sector cyber risk and compliance. No spam, unsubscribe anytime.
See the CAF module assemble a GovAssure pack from live evidence.