GovAssure
GovAssure is the cyber security assurance scheme for assessing the critical systems of government organisations. This page maps our GovAssure guidance and includes a GovAssure overview.
GovAssure was developed by the Government Security Group (GSG) and the National Cyber Security Centre (NCSC). GovAssure supports the objectives and aims of the Government Cyber Security Strategy, and uses the NCSC’s Cyber Assurance Framework (CAF). The Government Cyber Security Policy Handbook supports departments to build capabilities which meet the requirements of the CAF.
GovAssure is currently designed for OFFICIAL government systems, and also applies to government sector critical national infrastructure (CNI). GovAssure replaced the cyber elements of the Departmental Security Health Check (DSHC).
GovAssure uses WebCAF; a platform that has been developed to receive CAF submissions.
Contact us
Please email cybergovassure@cabinetoffice.gov.uk in GSG for any questions or queries about GovAssure.
GovAssure Guidance Contents
- Stage 1 – Organisational context and services including:
- Introduction to scoping document
- Stage 2 – In-scope systems & assignment to Government CAF profile
- Stage 3 – CAF self-assessment including:
- 6 steps to conduct self-assessment
- Components of CAF and using WebCAF
- CAF Dependencies
- Stage 4 – Independent assurance review including:
- Checklist and Peer review guidance
- Stage 5 – Final assessment and targeted improvement plan
- Government CAF Profiles (requires signing in)
- Becoming a GovAssure Independent Assurance Reviewer
- Supporting templates, documentation and downloads
- WebCAF Help
GovAssure Overview
GovAssure is the cyber security assurance scheme for assessing the critical systems of government organisations. It was developed by the Government Security Group (GSG) and the National Cyber Security Centre (NCSC), and is intended to:
- enable government organisations to accurately assess the level of cyber assurance for their critical systems, highlighting priority areas for improvement
- allow GSG and the NCSC to take a strategic view of government resilience and develop a roadmap to truly ‘Defend as One’
GovAssure assesses systems against one of two target Cyber Assurance Framework (CAF) profiles for government: the Baseline or the Enhanced profile. It can be tailored to fit an organisation’s context and uses third-party reviewers to ensure objectivity. The scheme delivers an outcomes-based assessment, with recommendations that are supported by targeted improvement plans.
Participating organisations can demonstrate how they actively manage and report on cyber capabilities, risk, and resilience. They can also improve the security of their networks and information systems, and measure progress against the requirements of the Government Cyber Security Standard.
Systems in scope
GovAssure applies to the critical systems of government classified as OFFICIAL, and therefore is not suitable for systems processing information at SECRET and above.
Additionally, GovAssure also applies to systems that are considered government critical national infrastructure (CNI), according to the formal CNI criteria.
If you are unsure whether GovAssure is suitable for your systems, contact the GovAssure team for advice: cybergovassure@cabinetoffice.gov.uk
GovAssure Stages
The GovAssure scheme is comprised of 5 stages:
Stage 1: Describe the organisation’s context and services
(Owned by the organisation)
A scoping exercise to document the organisation’s mission and the context in which it operates, and to identify all the essential services it is responsible for.
Stage 2: Identify the in-scope systems and assign the Government CAF profile
(Owned by the organisation and GSG)
Identification and prioritisation of the critical systems on which the essential services rely, and determination of the CAF profile (Baseline or Enhanced) that should be assigned to each one.
Stage 3: CAF self-assessment
(Owned by the organisation and GSG)
A self-assessment for each critical system within scope against the CAF Guidance documentation. GSG provides examples for the organisation on WebCAF to consult during the assessment.
Stage 4: Assurance review
(Owned by the assessor, the organisation, and GSG)
The self-assessment is reviewed and verified by an assessor.
Note: Lead government departments (LGDs) and government critical national infrastructure (CNI) organisations must undertake an independent assurance review. Other organisations may opt for a peer review process instead.
Stage 5: Final assessment and targeted improvement plan
(Owned by the independent assessor, the organisation, and GSG)
A final report is produced, including observations, recommendations, and an assessment against the target CAF profile for each system.
Further Reading
Government Cyber Security Policy Handbook