🇬🇧 UK NCSC CAF / NIS Toolkit

Meet UK NIS & NCSC CAF Objective D Readiness
with AI-Powered OT/ICS Tabletop Scenarios

UK operators of essential services and critical national infrastructure are assessed against the NCSC Cyber Assessment Framework (CAF). Objective D — response and recovery planning, and lessons learned — expects response plans tested with the people who execute them. CyberICS delivers 300+ ready-to-run OT scenarios with AI-generated After Action Reports that produce CAF-mappable contributing-outcome evidence and drill the UK NIS 72-hour reporting duty.

CAF D1 — Response Plans Tested with Real Responders
CAF D2 — Working Lessons-Learned Cycle
UK NIS 72-Hour Competent-Authority Reporting
Contributing-Outcome Evidence, Every Exercise
Start Free — 14-Day Trial Talk to Our UK Team
Compliance Note: CyberICS's exercise scenarios reference the UK NIS Regulations and the NCSC Cyber Assessment Framework (CAF) as part of a structured training and preparedness program. Exercising on this platform supports — but does not replace — formal CAF assessment by your competent authority and statutory NIS reporting, which require engagement with your competent authority and the NCSC. Consult qualified legal and compliance counsel for official determinations.
Applicability

Who Is Assessed Against the NCSC CAF

The UK NIS Regulations and the NCSC CAF apply to operators of essential services and relevant critical national infrastructure. Objective D indicators expect regular, realistic exercising — tracked here as live practice clocks.

⚡ Operators of Essential Services (OES)

Energy, water, transport, health, and digital-infrastructure OES assessed against the CAF must exercise response plans to the Objective D "achieved" indicators and demonstrate UK NIS reporting to their competent authority.

🏭 Critical National Infrastructure Operators

CNI operators must exercise degraded-operations decision-making, resilient-networks fallbacks (CAF B5), and supply-chain response (CAF A4) where it meets response and recovery under Objective D.

👤 Incident Responders & CAF Self-Assessors

The people who actually execute the response — plus those preparing the CAF self-assessment — must exercise plan activation, communications discipline, and the lessons-learned cycle that Objective D2 expects.

Standards Alignment

NCSC CAF Objective D — How CyberICS Maps to Each Outcome

CAF Objective D (response & recovery, lessons learned), the UK NIS reporting duty, and the resilience/supply-chain outcomes that feed it are the ones most directly addressed by tabletop exercises. The D1 exercise and D2 lessons clocks are tracked live.

NCSC CAF Contributing-Outcome Mapping Reference

Relevance: Direct = exercise explicitly required  |  Supporting = exercise validates controls  |  Scenario = scenario content covers the threat domain

Standard Title Key Requirement Addressed CyberICS Capability Relevance
CAF D1.a/b Response Plan & Activation Maintain and exercise response plans, tested realistically with the personnel who execute them (D1 indicators of good practice). A formal, evaluated exercise to the D1 "achieved" indicators — realistic scenario, actual responders, decision authorities under pressure; the AAR is the evidence. Direct
CAF D2 Lessons Learned Demonstrate a working lessons-learned process: post-incident/exercise reviews driving improvement. The structured debrief runs the D2 cycle for real; findings become tracked remediation items with exercise-verified closures. Direct
UK NIS Competent-Authority Reporting (72h) Report NIS incidents to the competent authority without undue delay and within 72 hours. Scenarios drill NIS reportability thresholds and the 72-hour report; in-exercise reporting-decision timestamps in the compliance log. Direct
CAF B5 Resilient Networks & Systems Sustain essential-service delivery with monitoring and control degraded; manual fallbacks and safety-first decisions. Loss-of-visibility scenarios exercise manual procedures, field verification, and service-curtailment thresholds as contributing-outcome evidence. Scenario
CAF A4 Supply-Chain Response Respond where supply-chain assurance (A4) meets response (D1): a shared industry provider is breached. Supply-chain scenarios exercise sever-and-verify, coordinated disclosure with sector peers, and NIS reportability assessment. Scenario
CAF A-D Objective-D Self-Assessment Map the year's evidence to CAF contributing outcomes ahead of the competent authority's assessment. The capstone facilitated self-assessment grades D1/D2 contributing outcomes honestly using the year's AARs and packages the file. Supporting
Platform Capabilities

How CyberICS Directly Supports CAF Objective D Readiness

Three platform capabilities work together to produce CAF-mappable contributing-outcome evidence and drill the NIS reporting duty.

🎲
CAF D1 Exercise Record

Documented Exercise Execution

Live Session mode provides a structured, real-time exercise environment. Participants join by code, respond to scenario steps, and all activity is timestamped — creating an auditable exercise record.

  • Timestamped participant activity log
  • Step-by-step scenario walkthrough record
  • Host control bar with session metadata
  • Exercise duration and completion record
📋
CAF D1 Exercise Record

AI-Generated After Action Report

CyberICS's AI engine generates a structured AAR immediately after each exercise — documenting gaps identified, recommended corrective actions, and framework alignment.

  • Structured gap analysis with severity ratings
  • Framework reference per identified gap
  • Corrective action recommendations
  • Downloadable PDF in minutes, not days
📄
Audit Evidence Package

Compliance Evidence Export

The Compliance Dashboard generates per-framework evidence packages — a multi-page audit PDF covering exercise log, controls mapping, gap analysis, remediation timeline, and formal attestation page.

  • Exercise date, participants, and scenario record
  • Framework controls coverage map
  • Gap-to-remediation timeline
  • Attestation page for compliance files
Scenario Library

UK CNI Scenarios — Ready to Run

Six high-fidelity scenarios are immediately available, sequenced from foundational to advanced. Each exercises CAF Objective D outcomes and NIS reporting across your OT, communications, and executive teams.

Response & Reporting
Plan Activation + UK NIS 72-Hour Report

An intrusion is confirmed in the control network of your essential service. Tests response-plan activation, NIS reportability thresholds, the 72-hour competent-authority report, and NCSC engagement.

CAF D1 UK NIS Reporting
Degraded Operations
Loss of Operational Visibility

SCADA visibility drops across a region after a suspected attack on the comms estate. Tests manual procedures, field-verification priorities, and service-curtailment thresholds as CAF B5/D1 evidence.

CAF B5 Manual Ops Safety
Supply Chain
Shared-Service Provider Compromise

A provider of shared OT engineering services to several UK operators reports a breach; your sites use their platform. Tests sever-and-verify, coordinated disclosure, and NIS reportability.

CAF A4 Vendor Disclosure
Formal Exercise
Annual Response Exercise (CAF-Mapped)

A planned, evaluated exercise to CAF D1 "achieved" indicators — plan activation, roles, communications, recovery authority. The structured debrief runs the D2 lessons cycle for real.

CAF D1 CAF D2 Governance
Public Communications
Media-Pressure Incident

Your incident trends on national news before the 72-hour report is filed; a minister's office wants answers today. Tests running technical response and public communications in parallel without contradiction.

CAF D1 Comms Authority
Self-Assessment
CAF Self-Assessment Under Live Conditions

A multi-stage incident (phish → OT foothold → attempted disruption) is exercised end-to-end, then the team runs a facilitated CAF Objective-D self-assessment using the year's AARs as evidence.

CAF A-D D2 Assessment

Plus 59 additional scenarios across Energy, Water, Transport, Health, Manufacturing, and more. Browse the full library →

Evidence Artifacts

Audit-Ready Documentation — Every Exercise

Every CyberICS exercise automatically generates four categories of evidence that map directly to CAF contributing outcomes and NIS reporting.

📋
After Action Report (AAR)

AI-generated structured PDF with gap analysis, corrective actions, and framework references. Ready within minutes of exercise completion.

CAF D1 Exercise Record
📈
Compliance Evidence Package

Multi-page per-framework audit PDF: exercise log, controls mapping, gap analysis, remediation timeline, and signed attestation page.

CAF D2 Lessons Loop
🕑
Session Activity Transcript

Timestamped record of all participant responses, host actions, and step progression. Demonstrates real exercise activity to auditors.

UK NIS 72h Log
🔗
Gap-to-Ticket Tracking

Gaps identified in the exercise are automatically pushed to ServiceNow or Jira as remediation tickets — creating a documented corrective action trail.

Remediation Evidence

Explore the Full Regulatory Toolkit Library

CyberICS exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

Ready to Exercise CAF Objective D?

Start free with a 14-day trial — no credit card required. Or talk to our UK team about CAF-mapped exercise programs ahead of your competent authority's assessment.

Also explore: IEC 62443 Toolkit  ·  ISO 27001 Toolkit  ·  NIS2 Toolkit