About the Cyber Assessment Framework for local government
The Cyber Assessment Framework is a framework developed by the UK’s National Cyber Security Centre (NCSC).
Read a transcript of the Cyber Assessment Framework for local government video (.txt, 3KB)
The Ministry of Housing, Communities and Local Government (MHCLG) has worked with councils and cyber security experts to adapt this into a tool for councils in England to address the risks they face.
The Cyber Assessment Framework (CAF) for local government can help your council to:
- assess the current cyber resilience of your organisation
- identify and mitigate vulnerabilities that could disrupt your important services
As part of the CAF for local government, your council will:
- identify the critical systems you rely on
- complete a self-assessment of your organisation
- complete a self-assessment of your critical systems
- take part in an independent assurance review
- create a plan to address vulnerable areas
The CAF aims to promote good cyber security practices and cultures within councils to minimise the impact of cyber attacks.
You can use it to complement your existing cyber plans, or as a tool to start conversations around cyber security in your council.
Benefits
The CAF for local government is a recognised NCSC framework specifically adapted for councils. It supports you to:
- identify cyber risks that could disrupt your most important services
- improve your resilience to potential cyber attacks
- know what areas to prioritise through actionable recommendations, so you spend your time and money efficiently
- understand your cyber posture against a national benchmark
- embed a culture of cyber security across your whole organisation – not just within your IT teams
What the CAF means for local government
Cyber attacks can disrupt the delivery of your essential services, damage public trust and cause significant financial losses. Incidents affecting the public sector are on the rise, so it’s important that your council takes steps to protect its most critical services.
The CAF has been designed to help you build a strong foundation of resilience so that you can understand and manage risk appropriately. This will support MHCLG’s understanding of cyber security risks and issues within the sector, so that we can consider how to further support the sector to address these risks.
Use the CAF as a tool to continuously assess and improve your council’s cyber resilience. If used routinely, the self-assessment can serve as a method for good risk management at a local authority level.
It can also be completed alongside other cyber security standards to strengthen your cyber resilience. Find out how the CAF relates to other cyber standards.
Objectives of the CAF
The framework is based on four objectives that build good cyber resilience:
- Managing security risks
- Minimising the impact of cyber security incidents
- Protecting against cyber attack
- Detecting cyber security events
These objectives help you reflect on your current cyber posture and highlight where you can make improvements to protect your critical systems.
The assessment involves evaluating if you meet the contributing outcomes and indicators of good practice that underpin each objective. Read more about the objectives and contributing outcomes.
How the CAF can protect your critical systems
Your critical systems are the network and information systems that underpin the delivery of the services you rely on.
These are often systems that support:
- your essential services
- output systems your council relies on every day
- critical national infrastructure
Completing the CAF supports you to identify and manage consequences for these systems. This will help you maintain operation of your essential services if a cyber attack happens.
What the CAF for local government involves