Once the peer reviewer(s) have been assigned to the organisation they will need to:
Government Security Group anticipate a full peer review to take around 1-2 days, however timescales are expected to vary depending on the organisation and number of systems being reviewed.
The organisation being reviewed will have completed a GovAssure Scoping Document covering the following: - (1) Organisational context and essential services - (2) In-scope systems and assignment of the target Government CAF profile The reviewer should read and digest the contents of the Scoping Document to understand the systems for which they are reviewing CAF self-assessments.
As part of the scoping process, the organisation being reviewed will have assigned one of two Government CAF profiles to the systems in scope. For the purpose of peer review, systems in scope for this type of review are those assigned the Baseline Profile only. WebCAF has an example completed CAF assessment at Baseline. Peer reviewers should familiarise themselves with this as an indication of the kinds of answers organisations may provide as part of the self-assessment. As a peer reviewer, please exercise flexibility in your scoring. Although we have provided illustrative examples on WebCAF, there are numerous ways organisations may be meeting the Baseline requirements, so please exercise your expert judgement.
In step 6, reviewers will be expected to use expert judgement to complete the peer review. For peer review, commentary should be focused at the contributing outcome level only. On WebCAF, boxes will appear below each set of contributing outcome statements for the reviewer to populate.
Where the organisation and reviewer are the same, there is no need to provide detailed commentary. Where organisation and reviewer comments differ, commentary should be provided as to what and why. Organisations may be contacted for further clarification by the reviewer. References to individual IGPs may be made in the CO statement review, however this is optional.
Actions: - Reviewer uses Yes or No checkboxes to assess whether the contributing outcome statement applies to the system in question, and supporting commentary is provided if necessary. Yes or No scores or commentary is not required for IGPs. Commentary from reviewers should be focused at the CO level. - Where reviewer assessments differ from the organisations contributing outcome achievement, they should justify fully and with reference to the areas of difference. - An agreement should be made on whether any additional (and optional) arbitration workshops and feedback are necessary - Reviewer, organisation (and optionally LGD) should fully check quality of review before submission to GSG on WebCAF.
Following submission, the reviewed CAF return will be stored in a SECRET environment and will not be accessible on WebCAF in the long term. The reviewed assessment will be collated into a report if multiple systems have been put through GovAssure by the organisation. Organisations, in combination with their LGDs, will also work up a Targeted Improvement Plan based on final CAF returns. Peer reviewers will not be expected to contribute to either product, unless they do so voluntarily.
For additional questions on the GovAssure process or peer review, please contact cybergovassure@cabinetoffice.gov.uk For technical issues with WebCAF, please contact webcaf@cabinetoffice.gov.uk
OFFICIAL