GovAssure Overview
GovAssure is the new cybersecurity assurance scheme for Government organisations designed to support the objectives and aims of the GCSS.
Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.
What is GovAssure?
GovAssure is the new cybersecurity assurance scheme for Government organisations designed to support the objectives and aims of the GCSS.
The Strategy aims to harden Government’s essential functions by improving the security of networks and information systems that are critical to the delivery of those essential functions, offering greater resilience to cyber attack and being more resilient to known vulnerabilities and attack methods.
GovAssure is a five stage process which:
- underpinned by the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF)
- aligns with Critical National Infrastructure (CNI) best practice
- uses a systematic and comprehensive approach to assess outcomes and to identify the extent to which cyber risks to essential services are being managed by the government organisation responsible for them
Organisations are required to actively manage and report on the cyber capability, risk and resilience to their networks and systems in accordance with the appropriate security outcomes underpinned by threat driven Government-specific profiles under CAF (Baseline and Enhanced) . GovAssure is accompanied by centralised cyber security policy and guidance for Government to support best practice.
Organisations’ self-assessments will be independently and objectively verified by independent assurance reviewers. GovAssure will allow Government to identify and aggregate risks and measure progress against the GCSS.
The two main aims of GovAssure are to:
- enable organisations to accurately assess the level of cyber assurance for their critical systems against a proportionate CAF profile, highlighting priority areas for improvement
- allow Government Security Group (GSG) and NCSC to take a strategic view of government resilience, to help inform a strategic roadmap to truly ‘Defend as One’
Preparing for GovAssure
Useful tasks to help organisations to prepare for the start of GovAssure in their organisation.
Companies and other third-parties can find out about becoming a GovAssure Independent Assurance Reviewer here.
GovAssure stages summary
GovAssure consists of five main stages:
Stage 1: Organisational context and services
Understanding the context of the organisation to identify its essential services. These will help shape and scope the GovAssure review.
(Owner: Organisation)
Stage 2: In-scope systems and assignment to the Government CAF profile
Identifying and prioritising the critical systems on which the essential services rely and considering the system boundaries and determining the CAF profile (Baseline or Enhanced)
(Owner: Organisation and GSG)
Completing a self-assessment for each critical system identified as ‘in-scope’ for GovAssure against the CAF Guidance documentation. Example mapping to other frameworks and example Indicators of Good Practice (IGP) evidence will be available.
(Owner: Organisation and GSG).
Stage 4: Independent assurance review
Self-assessment will be reviewed and verified by an independent assessor. Assessors will meet the minimum security and assurance requirements. (Owner: Independent Assurance Reviewer, Organisation and GSG)
Stage 5: Final assessment and targeted improvement plan
A final report will be produced, outlining observations and recommendations and providing assessment against the target CAF profile. This will be a important mechanism to support investment and decision making.
(Owner: Independent Assurance Reviewer, Department and GSG)
How GovAssure will benefit you
- It is a tailored and flexible approach designed to fit with your business context. Assessment is outcome based and proportionate, using profiles aligned to the risks faced by Government.
- It provides a simplified experience for your teams with a new web based interface for assessments that will make workflow and input easier.
- GovAssure will give a fair and objective assessment through integration of third party review.
- It will set clear expectations for organisations through the use of “targeted improvement plans”.
Context and alignment with wider Government Security Group assurance processes
The NCSC has chosen the outcomes based CAF approach to prevent the assessment being carried out as a ‘tick-box’ exercise. The aim of the CAF is to ensure that cyber risks that might disrupt a service are identified and mitigated, similarly to the National Institute of Standards and Technology (NIST) Cyber Security Framework.
GovAssure replaces the Cyber element of the Departmental Security Health Check (DSHC), which will continue to assess physical and personnel security, and moves away from the Minimum Cyber Security Standards (MCSS) which will be retired during 2023. A revised 007 Security Functional Standard will also direct organisations to go through GovAssure.
GovAssure will only apply to systems on the OFFICIAL tier and the OFFICIAL threat model remains as per the Government classification scheme.
Furthermore, systems which are characterised as government CNI, according to the formal CNI criteria, will automatically be in scope for GovAssure and there will be further alignment with the current process for Government CNI assurance.
Roles and responsibilities
GovAssure will require support from a number of roles and governance groups within the organisation and should not be seen as the sole responsibility of the Chief Information Security Officer (CISO) and Cyber Security Managers, or equivalents. It is important to identify an individual who is accountable for GovAssure as well as a person who can act as a single point of contact and coordinate communications across the organisation. See engagement with your organisation to learn more.
Organisations must recognise that GovAssure is ‘essential services’ focused, and it is anticipated that roles including Chief Risk Officer and system owners will be required to support delivery throughout the process. If you do not have this already, it is important to have a formally documented list of systems in use and name system owners. Organisations will be supplied with a Responsible, Accountable, Support, Consulted and Informed (RASCI) template to identify the roles required to deliver the end-to-end GovAssure process.
Government Cyber Security Policy Handbook
You can find the Government Cyber Security Policy Handbook here.
GovAssure Walkthrough Stages 1 and 2