Objectives, principles and contributing outcomes

The CAF for local government is built around four core objectives, underpinned by principles and contributing outcomes that demonstrate good cyber security and resilience.

About the CAF objectives

The Cyber Assessment Framework (CAF) for local government has four core objectives that cover cyber resilience. The objectives are grouped into two self-assessments to help you plan your collaborator involvement more effectively.

Self-assessment of your organisation

Managing security risk (objective A)

This objective looks at whether you have organisational structures, policies and processes in place to understand, assess and manage security risks to the network and information systems supporting your essential functions.

Minimising the impact of cyber security incidents (objective D)

If your organisation was attacked, how ready are you to respond? This objective examines your capability to minimise the impact of a cyber security incident on the operation of your essential functions, and how you might restore them.

Self-assessment of your critical systems

Protecting against cyber attack (objective B)

Demonstrate where and how you have proportionate security measures in place to protect the critical systems supporting your essential functions from cyber attack.

Detecting cyber security events (objective C)

This looks at the reactive side of cyber security. Assess your capability to ensure security defences remain effective and can detect cyber security events affecting, or with the potential to affect, essential functions.

About the CAF principles

There are 14 principles that underpin the CAF objectives. They outline the activities organisations should maintain for good cyber security and resilience.

The CAF principles are:

Governance (A1)
Risk management (A2)
Asset management (A3)
Supply chain (A4)
Service protection policies and processes (B1)
Identity and access control (B2)
Data security (B3)
System security (B4)
Resilient networks and systems (B5)
Staff awareness and training (B6)
Security monitoring (C1)
Proactive security event discovery (C2)
Response and recovery planning (D1)
Lessons learned (D2)

For more information about each principle, see the NCSC’s table of principles and related guidance.

Contributing outcomes and indicators of good practice

CAF principles have contributing outcomes that demonstrate good cyber security. You complete your self-assessments by evaluating how your council currently meets each contributing outcome.

Each contributing outcome has a set of indicators of good practice (IGPs). These describe whether a contributing outcome is being:

‘achieved’
‘not achieved’ or
‘partially achieved’

Find out how to use the indicators of good practice.

Understanding which IGPs you meet will provide you with a good starting point for deciding if you have achieved a contributing outcome or not.

You will understand your council better than anyone externally. You should make informed, balanced decisions on how these principles and the contributing outcomes relate to your organisation.

To help you assess your council against each principle, visit useful links and resources.

The CAF profile for local government

The Ministry of Housing, Communities and Local Government (MHCLG) has worked with councils and cyber security experts to establish a profile of the NCSC’s Cyber Assessment Framework specifically tailored to the local government sector.

The CAF profile for local government provides councils with a baseline to work towards. It is based on recognised levels of threat.

The profile is considered ‘Official-Sensitive’. To view it, you need to sign-in with an email address associated with a governmental body or local authority. For example, an email address that ends in gov.uk. You do not need to set up an account. Find out how your privacy is protected.

How the CAF relates to other cyber standards

Contact the CAF for local government team

Email us to ask a question or share feedback.