Meeting NCSC CAF requirements: A healthcare provider’s password and MFA journey

Picture this: you’re leading IT security for a mid-sized NHS trust when notice arrives that you need to demonstrate alignment with the NCSC’s Cyber Assessment Framework (CAF). You know immediately where some gaps will show up – authentication controls.

You’ve got MFA deployed for administrators and a handful of critical applications. Basic password complexity requirements have been in place for years. On paper, it looks reasonable. But CAF doesn’t care about paper compliance… It demands demonstrable, outcome-driven security controls that actually work.

This scenario isn’t unique to healthcare. Any UK public sector organization or critical infrastructure provider facing CAF requirements will encounter similar challenges around identity and access control. Let’s walk through how this journey typically unfolds for an organization.

First CAF audit reveals the gaps

You’ve just run your internal CAF assessment, and uncomfortable truths are emerging about your authentication controls. The framework is explicit: you need broad MFA deployment, phishing-resistant authentication methods, strong password policies that align with NCSC guidance, and auditable evidence of all these controls.

Your specific gaps become clear:

• MFA coverage is patchy: While admins have MFA, most staff log into Windows workstations with just a password. You’ve got several legacy applications that only authenticate against Active Directory, meaning anyone who compromises those credentials has a straight path in. CAF’s Principle B2 (Identity and Access Control) expects MFA for all users and applications – not just the obvious targets.
• Reliance on SMS-based MFA: The MFA you do have leans heavily on SMS verification. CAF explicitly pushes organizations toward phishing-resistant factors. SMS is vulnerable to SIM-swap attacks and prompt bombing, techniques that have successfully compromised organizations before. Moving away from SMS isn’t a nice-to-have; it’s a requirement.
• Password policies haven’t evolved: You’ve been following older guidance: enforcing complexity, rotating passwords every 90 days. But NCSC guidance has shifted. They now recommend longer passwords without forced expiration, combined with continuous scanning for breached credentials. Is there visibility into whether users’ passwords have appeared in credential dumps?
• Privileged account control is unclear: The assessment finds active administrator accounts that haven’t been reviewed in months. Some were created for specific projects and never removed. Others share passwords across multiple accounts. CAF expects not just limited access, but unique passwords, stronger authentication for privileged accounts, and regular review cycles.

Want a quick view of your stale privileged accounts and users with breached passwords? Run a read-only scan with our free tool, Specops Password Auditor. It’s free to keep and you can use these insights to conduct quarterly access reviews.

• Recovery processes create risk: Password resets go through the help desk, authenticated with security questions or email verification. These weak recovery paths could undermine every other control you’ve implemented. CAF requires secure, MFA-protected recovery methods.

Meeting CAF compliance with AD-native solutions

Now you’re facing a common dilemma, particularly in healthcare: limited budget, legacy systems that can’t be easily replaced, and zero tolerance for operational disruption. You need controls that will integrate with your existing AD environment while meeting CAF’s outcome-based requirements.

This means enforcing MFA at the Windows logon level, implementing continuous password breach scanning, strengthening privileged account controls, and securing self-service password resets.

Your solution comes together through AD-native tooling that can deliver CAF outcomes without replacing your identity stack.

Secure your Active Directory access with MFA for Windows logon, VPN & RDP.

Simple deployment with Specops

Your hypothetical organization could go about meeting CAF requirements with the following rollout of Specops Software solutions:

• MFA deployment: Specops Secure Access can be used to enforce MFA at Windows logon, RDP, and VPN. This means every user (clinical staff, administrators, contractors) authenticates with MFA regardless of which application they access. Your deployment covers the gaps CAF auditors will look for. Specops Secure Access also lets you shift from SMS to authenticator app-based factors, addressing the phishing-resistance requirement.
• Password policies and hygiene: You can deploy Specops Password Policy for continuous scanning against databases of breached credentials, blocking over 4 billion passwords that has appeared in known breaches. You can also easily enforce length requirements in line with NCSC guidance (focusing on length over complexity) and remove forced 90-day expiration. Without expiration, continuous breach scanning becomes critical – exactly what CAF expects.
• Privileged account controls: This is strengthened through differentiated MFA policies in Specops Secure Access and requiring phishing-resistant factors for all administrative access. You can combine with Specops Password Policy for enforcement of unique complex passwords for admin accounts.
• Secure recovery: Implement Specops uReset with MFA-protected self-service password resets and verification flows that match the security of your primary authentication. This closes the backdoor that weak recovery processes create while reducing help desk load.

Six months later: Meeting CAF without disruption

You’ve completed your follow-up CAF assessment. The authentication controls that were flagged as gaps now meet the framework’s requirements.

More importantly, you’ve achieved this without disrupting operations. Because your controls integrated with Active Directory, deployment happened without replacing existing systems or retraining staff on entirely new workflows. You can demonstrate compliance through AD-native logs and reports – exactly where auditors expect to find evidence.

The broader lesson isn’t about any specific product. It’s about understanding what CAF actually requires. The framework isn’t prescriptive about which tools you use. It’s prescriptive about outcomes: Can you prove your authentication controls work? Can you demonstrate continuous password hygiene? Can you show that privileged accounts are properly controlled?

The path forward with CAF

Whether you’re an NHS trust, a local council, or a critical infrastructure provider facing CAF requirements, your path forward starts with honest assessment. Where are your MFA gaps? Are you still using SMS verification? Do you have visibility into breached passwords? How strong are your privileged account controls? These aren’t theoretical questions, they’re what auditors will ask.

The good news is that addressing these gaps doesn’t require rebuilding your entire identity infrastructure. AD-native tools can deliver CAF outcomes while working with the systems you already have. For organizations with limited resources and zero tolerance for operational disruption, that makes all the difference. Speak to us about meeting CAF compliance today.