Evidence-led CAF mapping without inference or scoring.
SIFTR helps cyber and assurance teams understand how their existing documents support the UK Cyber Assessment Framework (CAF), using quoted, auditable evidence.
What SIFTR Does
1. You upload your existing CAF artefacts
Policies, strategies, risk docs, governance papers nothing new to write.
2. SIFTR maps them to CAF outcomes
Each outcome is assessed using quoted evidence only no inference, no scoring.
3. Coverage is shown clearly
Outcomes are marked Strong, Partial, or None, with supporting quotes.
4. Humans stay in control
Outputs support discussion and review final judgement always stays with your team.
The Technical Q&A (Trust & Liability)
No. SIFTR supports evidence review only. It does not make compliance determinations, maturity ratings, or automated decisions. All judgement and accountability remains with your organisation.
No. SIFTR does not assign scores or maturity levels. It shows how uploaded evidence supports CAF outcomes, using quoted evidence only. Coverage is categorised according to NCSC Indicators of Good Practice (IGP): Achieved, Partially Achieved, or Not Achieved.
Yes. Documents are processed in a secure, access-controlled environment and can be deleted at any time. SIFTR operates a stateless pipeline: once the session ends, data is purged. Full details on data handling and security controls are available in our Trust Centre.
SIFTR is designed for cyber security, governance, risk, and assurance teams working with the UK Cyber Assessment Framework (CAF) 4.0.
Yes. Outputs are designed to map 1:1 with GovAssure Stage 3 reporting requirements and support internal audit discussions. They provide a structured "first pass" but do not constitute a formal regulatory submission.
Yes. SIFTR is currently in a live beta phase. Functionality is intentionally conservative to ensure 100% accuracy in evidence extraction while the approach is validated with our pilot partners.
Practical guidance, platform updates, and regulatory insight from SIFTR.