Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Author: Local Digital

Overview of the CAF for local government

What the Cyber Assessment Framework (CAF) for local government involves.

An overview of the CAF for local government and what your council can start working on now.

What the CAF for local government involves

The CAF for local government is available to councils in England to help them assess their cyber resilience.

We have launched the initial stages of the CAF for local government, enabling councils to get a head start while we continue to develop the framework based on your feedback. We plan to launch the full service by spring 2025.

For councils wishing to move swiftly through the CAF process, we recommend using these timelines to plan your CAF for local government assessment.

A visual showing all the stages for a council completing the CAF for local government.
An overview showing the stages for a council completing the CAF for local government.
Stage of the assessment Estimated time for team to complete When guidance will be available
Prepare for the CAF for local government 45 hours Available now
Set the scope of your assessment 30 to 35 hours Available now
Complete a self-assessment of your organisation 40 hours Available now
Assure your organisation assessment and develop your improvement and implementation plan (IIP) 15 to 20 hours Available now
Map the architecture of your critical systems 20 hours (per critical system) Spring 2025
Complete a self-assessment of your critical systems 60 hours Spring 2025
Assure your critical systems assessment and develop your improvement and implementation plan (IIP) 20 hours Spring 2025

These times are estimates and are likely to vary depending on:

  • the size of your council
  • access to relevant stakeholders
  • your ability to prioritise the CAF for local government

What you can do now to get ahead

Available now

Prepare to start the CAF for local government

Prepare your council for the self-assessment, including planning your schedule and identifying key roles and responsibilities.

Find out how to prepare to start the CAF for local government.

Set the scope of your assessment

Document your organisational context and essential services, and identify and prioritise three critical systems.

Find out how to set the scope of your assessment.

Complete a self-assessment of your organisation

Evaluate how well your council is managing security risk (objective A) and minimising the impact of cyber security incidents (objective D).

Find out how to complete the self-assessment of your organisation.

Following your self-assessment, you can submit your scoping workbook, assured self-assessment, and improvement and implementation plan to MHCLG for both the organisation and critical systems self-assessments. We plan to publish more information on how to securely submit these documents and how your information will be used in spring 2025.

Independent assurance review of your organisation self-assessment

Get an external view of how well your council is managing security risk and minimising the impact of cyber security incidents.

Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your organisation.

Find out about the independent assurance process, and then how to arrange independent assurance.

What you can do next

Guidance we plan to launch in spring 2025

Map the architecture of your critical systems

Create system architecture diagrams of up to three of the critical systems you identified during scoping.

Complete a self-assessment of your critical systems

Evaluate how well your council is protecting against cyber attack (objective B) and detecting cyber security events (objective C).

Independent assurance review of your critical system self-assessment

Get an external view of your council’s ability to protect against cyber attacks and detect cyber security events.

Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your critical systems.

Prepare for the CAF

Contact the CAF for local government team

Email us to ask a question or share feedback.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now