Please email cybergovassure@cabinetoffice.gov.uk for a transcript if required.
GovAssure is the new cybersecurity assurance scheme for Government organisations designed to support the objectives and aims of the GCSS.
The Strategy aims to harden Government's essential functions by improving the security of networks and information systems that are critical to the delivery of those essential functions, offering greater resilience to cyber attack and being more resilient to known vulnerabilities and attack methods.
GovAssure is a five stage process which:
Organisations are required to actively manage and report on the cyber capability, risk and resilience to their networks and systems in accordance with the appropriate security outcomes underpinned by threat driven Government-specific profiles under CAF (Baseline and Enhanced). GovAssure is accompanied by centralised cyber security policy and guidance for Government to support best practice.
Organisations' self-assessments will be independently and objectively verified by independent assurance reviewers. GovAssure will allow Government to identify and aggregate risks and measure progress against the GCSS.
The two main aims of GovAssure are to:
Useful tasks to help organisations to prepare for the start of GovAssure in their organisation.
Companies and other third-parties can find out about becoming a GovAssure Independent Assurance Reviewer here.
GovAssure consists of five main stages:
Stage 1: Organisational context and services
Understanding the context of the organisation to identify its essential services. These will help shape and scope the GovAssure review. (Owner: Organisation)
Stage 2: In-scope systems and assignment to the Government CAF profile
Identifying and prioritising the critical systems on which the essential services rely and considering the system boundaries and determining the CAF profile (Baseline or Enhanced) (Owner: Organisation and GSG)
Completing a self-assessment for each critical system identified as 'in-scope' for GovAssure against the CAF Guidance documentation. Example mapping to other frameworks and example Indicators of Good Practice (IGP) evidence will be available. (Owner: Organisation and GSG).
Stage 4: Independent assurance review
Self-assessment will be reviewed and verified by an independent assessor. Assessors will meet the minimum security and assurance requirements. (Owner: Independent Assurance Reviewer, Organisation and GSG)
Stage 5: Final assessment and targeted improvement plan
A final report will be produced, outlining observations and recommendations and providing assessment against the target CAF profile. This will be a important mechanism to support investment and decision making. (Owner: Independent Assurance Reviewer, Department and GSG)
It is a tailored and flexible approach designed to fit with your business context. Assessment is outcome based and proportionate, using profiles aligned to the risks faced by Government.
It provides a simplified experience for your teams with a new web based interface for assessments that will make workflow and input easier.
GovAssure will give a fair and objective assessment through integration of third party review.
It will set clear expectations for organisations through the use of “targeted improvement plans”.
The NCSC has chosen the outcomes based CAF approach to prevent the assessment being carried out as a 'tick-box' exercise. The aim of the CAF is to ensure that cyber risks that might disrupt a service are identified and mitigated, similarly to the National Institute of Standards and Technology (NIST) Cyber Security Framework.
GovAssure replaces the Cyber element of the Departmental Security Health Check (DSHC), which will continue to assess physical and personnel security, and moves away from the Minimum Cyber Security Standards (MCSS) which will be retired during 2023. A revised 007 Security Functional Standard will also direct organisations to go through GovAssure.
GovAssure will only apply to systems on the OFFICIAL tier and the OFFICIAL threat model remains as per the Government classification scheme.
Furthermore, systems which are characterised as government CNI, according to the formal CNI criteria, will automatically be in scope for GovAssure and there will be further alignment with the current process for Government CNI assurance.
GovAssure will require support from a number of roles and governance groups within the organisation and should not be seen as the sole responsibility of the Chief Information Security Officer (CISO) and Cyber Security Managers, or equivalents. It is important to identify an individual who is accountable for GovAssure as well as a person who can act as a single point of contact and coordinate communications across the organisation. See engagement with your organisation to learn more.
Organisations must recognise that GovAssure is 'essential services' focused, and it is anticipated that roles including Chief Risk Officer and system owners will be required to support delivery throughout the process. If you do not have this already, it is important to have a formally documented list of systems in use and name system owners. Organisations will be supplied with a Responsible, Accountable, Support, Consulted and Informed (RASCI) template to identify the roles required to deliver the end-to-end GovAssure process.
You can find the Government Cyber Security Policy Handbook here.
OFFICIAL