How the CAF relates to other cyber standards
The CAF for local government can be completed alongside other cyber security standards to strengthen your cyber resilience.
The Ministry of Housing, Communities and Local Government (MHCLG) has designed the Cyber Assessment Framework (CAF) for local government to provide a clear cyber security standard for the sector.
You can use the CAF to gain a better understanding of your council’s cyber resilience and how it compares to the targets for local government.
How the CAF for local government differs from other standards
Identifies areas for improvement
The CAF is a tool for assessing and improving your council’s resilience to known vulnerabilities and attack methods.
By understanding your current cyber resilience and then identifying and making improvements across your organisation, you will be in a better position to prevent, reduce the impact of and recover from a cyber attack.
Takes an outcomes-based approach
The CAF is not a tick-box exercise. It takes an outcomes-based approach, which recognises that how you achieve an outcome may differ depending on the specific risks and contexts of your council.
Considers your whole organisation
The CAF takes a whole-organisation approach to cyber security that encourages engagement and collaboration with different functions across the council, including risk management, business continuity and service leads.
Focuses on protecting your critical systems
While many standards take a broader approach to cyber resilience, the CAF for local government also focuses on protecting your critical systems. These are the network and information systems that underpin the delivery of services you and your residents rely on.
Benefits of completing the CAF in addition to other standards
Completing the CAF in addition to other standards can help you to:
- supplement your existing levels of cyber security, by focusing efforts on your essential services and critical systems
- support better collaboration across your organisation and engagement with senior leadership and management teams
- increase your understanding of cyber resilience and preparedness to manage cyber attacks effectively
- better understand the extent of your risk exposure at both an organisational and technical level
It will also enable MHCLG to understand any risks or issues within the sector, so that we can consider how to further support the sector in addressing these risks.
Find out more about the benefits of the CAF for local government.
Parts of the CAF for local government align with cyber security and assurance standards that you and your commercial (third-party) providers may be familiar with. If you have completed an assessment against other standards, you may be able to use that to find relevant evidence for your CAF assessment.
Understanding cyber requirements for local government
MHCLG is aware that there are a number of cyber compliance regimes that councils are required to interact with as part of their data sharing agreements with government departments. We know this can be challenging and require considerable time, and that councils are looking for greater clarity and less duplication.
The Government Cyber Security Strategy makes it clear that the CAF is the future, and there is a clear opportunity for government departments to rationalise the amount of standards and reporting that exist.
We are working to further understand and progress in this area while we support you to start using the CAF.
While councils will still need to comply with existing standards and requirements, such as PSN, we hope that councils will appreciate the broader value of undertaking a CAF assessment.