Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  3. GovAssure for central government departments

Author: Government Security Group (GSG), Cabinet Office

GovAssure for central government departments

GovAssure is the new cyber security assurance approach for government that will replace the cyber security element of the Departmental Security Health Check (DSHC) in 2023. GovAssure will launch from April 2023.

GovAssure uses the National Cyber Security Centre’s Cyber Assessment Framework (CAF) and meets the requirements for an objective understanding of government cyber security as set out in the Government Cyber Security Strategy.

Departments will assess critical systems against one of two CAF profiles for government, the Baseline or the Enhanced Profile. This will provide departments and the Security Function with a more effective mechanism to understand the level of cyber resilience across government.

Scope of GovAssure

GovAssure is designed for OFFICIAL systems and does not currently apply to systems processing data classified as SECRET or above. Higher classification systems will be considered at a later date. GovAssure will apply to government sector Critical National Infrastructure (CNI), bringing them under a common assurance process for cyber.

The 5 stage GovAssure process

Stage 1 – Departmental context, essential services and mission

The department describes the strategic context of its organisation to identify essential services and its mission.

Stage 2 – In-scope systems and alignment to CAF profile

The department identifies systems and defines any boundaries and dependencies. Systems are prioritised for assessment in every financial year, and assigned the appropriate CAF profile (Baseline or Enhanced).

Stage 3 – Self-assessment against the CAF

The department completes self-assessment for each system in scope and collects supporting evidence.

Stage 4 – Independent Assurance Review

An independent assessor reviews the self-assessment, providing independent verification of the assessment. Assessors will meet the minimum security and assurance requirements.

Stage 5 – Final Assessment and Get Well Plan

A final report is produced, outlining recommendations to be implemented to reduce cyber risk. This will be a key mechanism to support investment and decision making. The Get Well plan is agreed separately with the department.

Government organisations undergoing GovAssure will be asked to identify key systems that support critical government functions, services, and organisational missions. Organisations will then determine whether they meet the conditions for higher threat systems, before assessing them against either the Baseline profile or the Enhanced profile.

Baseline Profile

All government organisations will need to meet the Baseline Profile. The Government Security Group (GSG), Cyber GSeC, NCSC and Central Digital and Data Office (CDDO) developed this profile in collaboration.

The Baseline Profile was developed by modelling the most likely impactful attacks against government and determining the Indicators of Good Practice (IGPs) within the outcomes of CAF which would mitigate the attack.

Enhanced Profile

Systems and organisations which are at higher threat, due to their business, data or exposure will need to consider using the Enhanced Profile. These could include organisations:

  • hosting government sector CNI
  • hosting large valuable PII datasets
  • with wider dispersed geography
  • performing national security functions

The Enhanced Profile does not represent a higher classification tier, and still applies only to OFFICIAL systems. The profile does not change the threat model but is constructed to give organisations the mandate and the capability to detect and remediate activity earlier in the attack chain, and to better understand the impact of activity should it be detected.

The Enhanced Profile will be published in due course.

Developing the GovAssure process

GovAssure Consultation

The GovAssure project team worked with government and commercial organisations and ran a series of detailed consultation workshops with lead government departments to identify areas for modification. Lessons have also been taken from other sectors implementing the CAF.

Policy and Guidance

The Government Cyber Security Policy Framework, which will be published soon, contains cyber security policy and guidance for public sector organisations. It will help departments in meeting the outcomes of the Government CAF Profiles and act as a centralised framework to advance the objectives set out under the Government Cyber Security Strategy.

Pilots

A phased pilot programme with 3 lead government departments started in September 2022. Many lessons from the pilot have already been integrated to improve the end-to-end process of GovAssure. This will continue in the run up to launch.

WebCAF

GovAssure will include a user-friendly web portal for departments to use when submitting their self assessments, called WebCaf. Further information on WebCAF will be made available in the run up to launch.

Commercial approach

Government organisations will be able to acquire third-party assessors for GovAssure from Crown Commercial Service’s Cyber Security Services 3 Framework. Third-party assessors will be required to meet a set of minimum requirements and accreditation which has been set in agreement with NCSC.

Further information

If you have any questions or require any further information email cybergovassure[at]cabinetoffice.gov.uk.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now