Preparing for GovAssure

GovAssure launched in April 2023 and replaces the cyber security element of the Departmental Security Health Check (DSHC).

Government Security Group (GSG) has developed this guidance to help organisations who will be going through GovAssure prepare in advance.

GovAssure will require the support of a number of roles and governance groups within the organisation and should not be seen as the sole responsibility of the Chief Information Security Officer (CISO), Cyber leads or equivalents. It’s important that you discuss what is required for GovAssure within your teams and organisation as well as at relevant security and digital boards.

Please contact cybergovassure@cabinetoffice.gov.uk if you have any questions.

Before starting GovAssure, here are some useful tasks that your organisation can start to put it in a good position to embrace the GovAssure process.

1. Identify and confirm who will own GovAssure in your organisation

Identify who will lead and coordinate GovAssure in your organisation as soon as possible and confirm this with GSG or your Lead Government Department.

The GovAssure lead will be responsible for:

• working with stakeholders
• making progress through the GovAssure stages
• completing the CAF self-assessment
• working closely with GSG to track progress against delivery

2. Carry out engagement within your organisation on GovAssure

Cyber leads and where applicable, the GovAssure lead, need to lay the groundwork to engage with system owners and colleagues who sit outside of the cyber team about GovAssure now. This may include communicating with DDAT leads across your organisation as well as risk leads.

You will need the input of wider colleagues during the initial stages to:

• identify your organisation’s essential services and critical systems
• complete the self-assessment

We expect a variety of stakeholders from wider teams and business areas to be involved in the completion of GovAssure within an organisation, not just the cyber team.  See Engagement with your organisation to learn more.

3. Consider your overall mission as an organisation and list your essential services

You will need to articulate what your organisation fundamentally achieves and how it supports the delivery of UK government services. You can do this by starting to develop a list of your organisation’s essential services, using previous business exercises such as business continuity planning to help.
GovAssure will apply to the network and information systems being used to support the delivery of an essential service including government sector CNI and services that support the mission and day to day business of the organisation.

Lead Government departments should also identify Arms Length Bodies and organisations that you provide IT services to and think about how you will get relevant information from them to understand and report on your security outcomes.

Defining Essential Services

An essential service is unique to each government organisation. You should define essential services with the help of colleagues outside of your business area. For example, colleagues responsible for business continuity, business outputs or the Chief Risk Officer.

Under GovAssure essential services include:

• Critical Infrastructure Services – services that the UK public relies on, on a daily or near-daily basis
• Operators of Essential Services – operators of services that are essential for the maintenance of important societal or economic activities, such as energy, transport, health, water or digital infrastructure
• fundamental organisational mission and outputs – services that support the mission and day to day business of the organisation

The critical systems automatically in scope for GovAssure will include government sector CNI systems as well as those that underpin your essential services.

4. Identify which critical systems support the essential services

After defining the mission and essential services, you need to think about which critical systems support them. From this you will have your list of systems that you may want to put through GovAssure. Under GovAssure, critical systems are defined as:

• government sector CNI systems
• operators of essential services
• systems which support your organisation’s mission and outputs

Defining critical systems

When identifying the network and information systems that GovAssure requirements apply to, you will need to link them to the specific essential service they provide. The GovAssure requirements only apply to the network and information systems being used in support of delivering an essential service and where it’s assessed that the compromise of such a system could impact the continuity of the essential service.

Under GovAssure critical systems include:

• Government Sector Critical National Infrastructure – systems characterised as CNI according to the CNI criteria are automatically in scope and considered critical
• Operators of Essential Services – systems which support Operators of Essential Services
• systems supporting fundamental organisational outputs – systems that support the mission and day to day business of the organisation. Without these systems the organisation would not be able to operate

5. How many systems should you put through in year one of GovAssure?

For organisations starting GovAssure in April, we expect them to prioritise and select a reasonable number of systems that are representative of the organisation and its business. For example, a mix of operational and support systems such as corporate and estate systems, and potentially important analytic systems.

We recommend that you do not exceed 10 systems unless you have the appropriate resource to support this work.

6. Consider systems that are run by third parties or if you provide IT services to another organisation or consume them

You’ll need to begin to think about how you will get the relevant information from third parties and other government organisations for the self-assessment stage of GovAssure in order to understand and report on your security outcomes. It may be good to have initial conversations with them about this to establish how you will get assurances and what cyber security standards they already align to. You can also draw on assurances from companies on other cyber reviews and audits.

7. Defining the critical system boundary

You will need to define the boundary of each critical system going through the GovAssure process. Bring system owners into this work and draw on existing system topology diagrams and exercises to support.

8. Check if you need additional resources

If you need extra resources to help you with parts of the GovAssure process, such as the CAF self-assessment, make sure these are in place before GovAssure starts. You may be in processing of submitting business cases and following internal protocols to initiate this. It’s important that you start this as early as possible. GSG will be happy to help you with any business cases that you are drafting and escalate potential issues.

9. Check you have funding to pay for the assurance review

Organisations who are completing GovAssure up to the self-assessment stage only will not need funding for the independent assurance review. Organisations who are going through an independent review will need to ensure that they have funding set aside for this

If you do not have funding set aside for the independent assurance review then you need to check what you need to do to submit a business case or ring fence money internally. It’s important to start this process as early as possible. GSG is happy to comment on any business cases that you are drafting and escalate potential issues.

Organisations will procure the assurance reviewer themselves through usual commercial processes. Understanding the commercial process within your organisation and engaging with the right people early will be crucial to bringing on board an assurance reviewer to complete the review stage of GovAssure.
Crown Commercial Service (CCS) have GovAssure filters on Cyber Security Services 3 where organisations can select a list of accredited companies who can carry out a GovAssure review.

10. Understand commercial processes within your organisation to prepare for GovAssure

Understanding the commercial process within your organisation and engaging with the right people early will be crucial to bringing on board an assurance reviewer to complete the review stage of GovAssure.
The earlier you start engaging with colleagues across the commercial, information assurance, and digital technology teams, the easier it will be to navigate the commercial process and obtain the relevant information and approvals necessary to procure a supplier. Here are some questions to consider:

• Do you have funding set aside for the assurance review? What steps do you need to take to submit a business case money?
• What engagement routes do you need to follow to inform commercial, information assurance and digital technology colleagues about GovAssure?
• What does the sign off route look like within your organisation for procuring a third party supplier? How does it vary depending on the cost (for example, is it under or over £100,000)?
• Do you have enabling agreements in place with any of the accredited organisations under GovAssure? Is there a conflict of interest where an accredited organisation may have implemented cyber security improvements for your organisation?
• Can those contracts be used for GovAssure or can you create a contract variation?
• Do you have additional requirements for potential assurance reviewers, for example, experience working with government agencies?
• What can Government Security Group do to support this commercial engagement?