Overview of the CAF for local government
What the Cyber Assessment Framework (CAF) for local government involves.
An overview of the CAF for local government and what your council can start working on now.
What the CAF for local government involves
The CAF for local government is available to councils in England to help them assess their cyber resilience.
We have launched the initial stages of the CAF for local government, enabling councils to get a head start while we continue to develop the framework based on your feedback. We plan to launch the full service by spring 2025.
For councils wishing to move swiftly through the CAF process, we recommend using these timelines to plan your CAF for local government assessment.
Stage of the assessment | Estimated time for team to complete | When guidance will be available |
---|---|---|
Prepare for the CAF for local government | 45 hours | Available now |
Set the scope of your assessment | 30 to 35 hours | Available now |
Complete a self-assessment of your organisation | 40 hours | Available now |
Assure your organisation assessment and develop your improvement and implementation plan (IIP) | 15 to 20 hours | Available now |
Map the architecture of your critical systems | 20 hours (per critical system) | Spring 2025 |
Complete a self-assessment of your critical systems | 60 hours | Spring 2025 |
Assure your critical systems assessment and develop your improvement and implementation plan (IIP) | 20 hours | Spring 2025 |
These times are estimates and are likely to vary depending on:
- the size of your council
- access to relevant stakeholders
- your ability to prioritise the CAF for local government
What you can do now to get ahead
Available now
Prepare to start the CAF for local government
Prepare your council for the self-assessment, including planning your schedule and identifying key roles and responsibilities.
Find out how to prepare to start the CAF for local government.
Set the scope of your assessment
Document your organisational context and essential services, and identify and prioritise three critical systems.
Find out how to set the scope of your assessment.
Complete a self-assessment of your organisation
Evaluate how well your council is managing security risk (objective A) and minimising the impact of cyber security incidents (objective D).
Find out how to complete the self-assessment of your organisation.
Independent assurance review of your organisation self-assessment
Get an external view of how well your council is managing security risk and minimising the impact of cyber security incidents.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your organisation.
Find out about the independent assurance process, and then how to arrange independent assurance.
What you can do next
Guidance we plan to launch in spring 2025
Map the architecture of your critical systems
Create system architecture diagrams of up to three of the critical systems you identified during scoping.
Complete a self-assessment of your critical systems
Evaluate how well your council is protecting against cyber attack (objective B) and detecting cyber security events (objective C).
Independent assurance review of your critical system self-assessment
Get an external view of your council’s ability to protect against cyber attacks and detect cyber security events.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your critical systems.