The DLUHC Local Digital team is supporting councils in England to build their cyber resilience.
Through our work to date, we know that one of the challenges councils face is having a clear baseline standard to assess their cyber security. To address this, DLUHC will be introducing the Cyber Assessment Framework (CAF) for local government in 2024.
In this blog post, we'll get you up to speed on our work to develop the CAF for local government and let you know how your council can start getting ready.
What is the Cyber Assessment Framework (CAF)?
The Cyber Assessment Framework (CAF) was developed in 2018 by the National Cyber Security Centre (NCSC) to help organisations assess the extent to which they're managing their own cyber security risks.
The Government Cyber Security Strategy 2022-2030 outlines how lead government departments are required to adapt the CAF in a way that is appropriate for the public sector organisations within their scope. To guide the local government sector through the CAF, DLUHC is developing supporting documentation, guidance and templates. We're calling this the Cyber Assessment Framework (CAF) for local government.
What the CAF will mean for councils
The aim of the CAF is to promote good cyber security practices and cultures in councils by allowing them to understand their cyber posture against a national benchmark.
Once it's rolled out, councils will be responsible for undertaking the CAF and using the assessment to manage their own cyber security. DLUHC will use the results to understand any risks or issues within the sector, and consider how these risks can be addressed. This will likely include working closely with partners such as SOLACE or the Local Government Association (LGA).
How we're developing the CAF for local government
Our vision is for councils to be able to undertake the CAF themselves, and to use their knowledge of their council and level of risk to decide what to prioritise for assessment. We're keen to understand the resource required to undertake the CAF and to design the service to reduce additional burden on councils. By thoroughly testing the CAF with councils, we can identify the pain points and which elements are the most time and resource consuming.
We first piloted the CAF with the local government sector in Autumn 2022 with 10 councils. This confirmed that although the NCSC's CAF could be used effectively by the sector, the scope was too broad to make it a useful tool for local government.
Since May 2023 we've carried out further testing with 8 councils through the Future Councils pilot, but with a narrower scope. This has included testing local government-specific documentation, guidance and templates to guide the pilot councils through a CAF assessment. We have also undertaken a discovery project to explore what services DLUHC needs to build to support delivery of the CAF in local government.
Testing the CAF with councils
In February this year, we kicked off an alpha project to design and test a service to help councils get ready for the CAF, assess themselves against it, and submit it to DLUHC. Alongside the alpha project, we'll be running a third pilot to test the service with a cohort of councils.
To help us support the sector ahead of the wider roll-out later this year, we've invited councils representing different areas of the country to take part in a six-month pilot from March 2024. The pilot councils will receive £50,000 to adopt the CAF with minimal direct support from us, and to take part in user research and testing to help us refine the service.
Through this latest pilot, we want to understand:
- whether the materials and products we've created are sufficient to guide councils through the CAF independently
- the resource required for councils to undertake the CAF
We plan to share updates on the progress of the pilot on our CAF webpage and we'll also be blogging about our progress.
Additional support to help councils prepare for the CAF
In order to complete the CAF, councils will be required to identify their critical systems and produce network architecture diagrams. We will be providing additional support to councils to enable them to do this before the CAF is rolled-out, including providing funding of £15,000 to each council that successfully completes the work.
We're currently testing guidance and conducting a series of workshops with a small group of councils before we make this support offer available to the rest of the sector in late Spring 2024. We will be able to share an update on this work at the end of March.
What your council can do to get ready for the CAF
Although the CAF for local government is still in development, we want to make sure councils are aware that it's coming so they can start getting ready to undertake a CAF assessment.
We will share more information and guidance on how to get your organisation ready for the CAF over the coming months, as well as run a webinar to answer your questions - more info on that to come.
To follow our progress and hear about upcoming Show and Tells, make sure to:
You can also read more about Local Digital's work to understand and improve local government cyber resilience on our website.