Trust CentreScope & Limitations

Scope & limitations

This page sets out what SIFTR covers today, how it aligns to the UK Cyber Assessment Framework (CAF), and the boundaries of what the platform is designed to do.

SIFTR is intentionally scoped to support evidence-led internal assessment and assurance. It is not designed to automate CAF judgements or replace human decision-making.

CAF alignment

SIFTR aligns to the structure and intent of the UK Cyber Assessment Framework (CAF) version 4.0.

The CAF is an outcome-based framework that relies on expert judgement, informed by evidence and context. SIFTR is designed to support this approach by helping teams locate, organise and review evidence already held within the organisation.

SIFTR currently supports mapping against:

  • CAF Objective A — Managing security risk
  • CAF Domain A — Governance

Support for additional CAF objectives and domains may be introduced in future, but is not assumed or implied.

What SIFTR assesses

SIFTR analyses uploaded organisational documents to identify explicit evidence relevant to CAF outcomes.

Examples of in-scope documents include:

  • Cyber security strategies
  • Information security policies
  • Risk management frameworks
  • Governance and oversight papers
  • Committee terms of reference
  • Assurance and review documentation

Evidence is assessed only where it is clearly stated in the source material.

Evidence coverage approach

SIFTR reports evidence coverage using the following labels:

  • Strong — clear, explicit evidence is present and directly supports the CAF outcome
  • Partial — some relevant evidence is present, but important detail, consistency or clarity is missing
  • None — no explicit evidence was found in the uploaded documents

This approach is designed to reflect evidence presence, not capability, maturity or effectiveness.

SIFTR does not apply Red/Amber/Green (RAG) ratings or equivalent scoring schemes.

What SIFTR does not assess

To remain accurate and defensible, SIFTR does not:

  • Judge whether CAF outcomes are achieved
  • Assign maturity levels or compliance status
  • Assess the effectiveness of controls in operation
  • Weigh organisational context, risk appetite or proportionality
  • Replace internal or external assurance activity

These judgements require human expertise and organisational knowledge that sits outside the scope of automated analysis.

Human judgement and accountability

SIFTR is a decision-support tool.

Customers remain responsible for:

  • Interpreting evidence in organisational context
  • Making CAF judgements and assertions
  • Determining proportionality and risk acceptance
  • Presenting outcomes to regulators, auditors or oversight bodies

SIFTR outputs are intended to be reviewed, challenged and supplemented as part of normal governance and assurance processes.

Limitations

SIFTR’s outputs are dependent on:

  • The quality and completeness of uploaded documents
  • How clearly governance arrangements are described in writing
  • The scope of documents selected for analysis

Where evidence is missing, unclear or outdated, SIFTR will state this explicitly.

Changes and versioning

SIFTR records:

  • The CAF version used for analysis
  • The date and time of assessment
  • The documents included in scope

This supports traceability over time as documentation, governance arrangements or CAF guidance evolve.

Last updated: January 2026

Trust Centre OverviewHow SIFTR Works
© 2026 SIFTR PBC. All rights reserved.