About the Cyber Assessment Framework for local government
The Cyber Assessment Framework is a framework developed by the UK’s National Cyber Security Centre (NCSC).
The Ministry of Housing, Communities and Local Government (MHCLG) has worked with councils and cyber security experts to adapt this into a tool councils in England can use to address the risks they face.
The Cyber Assessment Framework (CAF) for local government can help your council to:
- assess the current cyber resilience of your organisation
- identify and mitigate vulnerabilities that could disrupt your important services
As part of the CAF for local government, your council will:
- identify the critical systems you rely on
- complete a self-assessment of your organisation
- complete a self-assessment of your critical systems
- take part in an independent assurance review
- create an improvement and implementation plan to address vulnerable areas
The CAF aims to promote good cyber security practices and cultures within councils to minimise the impact of cyber attacks.
You can use it to complement your existing cyber plans, or as a tool to start conversations around cyber security in your council.
Benefits
The CAF for local government is a recognised NCSC framework specifically adapted for councils. It supports you to:
- identify cyber risks that could disrupt your most important services
- improve your resilience to potential cyber attacks
- know what areas to prioritise through actionable recommendations – so you spend your time and money efficiently
- understand your cyber posture against a national benchmark
- embed a culture of cyber security across your whole organisation – not just within your IT teams
What the CAF means for local government
Cyber attacks can have a huge financial cost and threaten to disrupt the delivery of your critical services to citizens. With cyber incidents affecting the public sector rising, it is important your council takes appropriate measures to protect your most important services.
Designed alongside the sector, the framework can help you build a strong foundation of resilience, so that you can understand and manage risk appropriately.
Collectively, this will support MHCLG’s understanding of cyber security risks and issues within the sector, so that we can consider how to further support the sector in addressing these risks.
If used routinely, this self-assessment can serve as a method for good risk management at a local authority level. Find out how the CAF relates to other cyber standards.
The CAF for local government is not a tick-box exercise. It requires cross-organisational collaboration. Find out who you should involve.
Objectives of the CAF
The framework is based on four objectives that build good cyber resilience:
- Managing security risks
- Minimising the impact of cyber security incidents
- Protecting against cyber attack
- Detecting cyber security events
These objectives help you reflect on your current cyber posture and highlight where you can make improvements to protect your critical systems.
The assessment involves evaluating if you meet the contributing outcomes and indicators of good practice that underpin each objective. Read more about the objectives and contributing outcomes.
How the CAF can protect your critical systems
Your critical systems are the network and information systems that underpin the delivery of the services you rely on.
These are often systems that support:
- your essential services
- output systems your council relies on every day
- critical national infrastructure
Completing this assessment gives you the opportunity to identify and mitigate consequences for these systems in the event of a cyber attack.
It means your council should have the ability to maintain operation of your essential services.
See what your council can start working on now