Overview of the CAF for local government
What each stage of the CAF for local government involves and how long it may take.
The CAF for local government is a tool you can use to continuously assess and improve your council’s cyber resilience.
Use it to understand your current level of cyber resilience and then identify and make improvements. Doing this regularly will help you prevent, reduce the impact of, and recover from a cyber attack.
Overview of the CAF for local government
We recommend that councils undertaking the CAF for the first time follow the stages in this order. We will provide guidance on how to undertake future CAF assessments later in 2026.
| Stage of the CAF for local government | Estimated time for team to complete |
|---|---|
| Prepare for the CAF | 45 hours |
| Set the scope of your self-assessment | 35 to 40 hours |
| Self-assess your organisation | 40 hours |
| Assure your organisation assessment and develop an improvement and implementation plan (IIP) | 15 to 20 hours |
| Map the architecture of your critical systems | 15 to 25 hours (per critical system) |
| Self-assess your critical systems | 60 hours (per critical system) |
| Assure your critical systems assessment and develop an improvement and implementation plan (IIP) | 20 hours |
These times are estimates and are likely to vary depending on:
- the size of your council
- access to relevant stakeholders
- whether you have previously completed a CAF assessment
What each stage involves
1. Prepare to start the CAF for local government
Estimated time to complete: 45 hours
Prepare your council for the self-assessment, including identifying key roles and responsibilities and planning your team’s schedule.
Find out how to prepare to start the CAF.
2. Set the scope of your assessment
Estimated time to complete: 35 to 40 hours
Document your organisational context, identify your essential services and critical systems, then prioritise three systems to self-assess.
Find out how to set the scope of your assessment.
3. Self-assess your organisation
Estimated time to complete: 40 hours
If you are doing the CAF for the first time, we recommend you start by self-assessing your organisation. Evaluate how well your council is managing security risk (objective A) and minimising the impact of cyber security incidents (objective D).
In future, you should aim to do a full reassessment of your organisation every few years to maintain an up-to-date view of your cyber posture and risk.
You may also need to reassess your organisation if there are significant changes to:
- your leadership or council structure, such as reorganisation
- the threat landscape, such as who could attack your organisation and why
- your mission and priorities
- your cyber risk appetite
- the essential services that allow your council to operate and achieve your mission and objectives
Find out what a CAF self-assessment involves.
4. Assure your organisation self-assessment and develop an improvement and implementation plan (IIP)
Estimated time to complete: 15 to 20 hours
Get an external view of how well your council is managing security risk and minimising the impact of cyber security incidents.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your organisation.
Find out about the independent assurance process, and then how to arrange independent assurance.
Work through the actions in your organisation improvement and implementation plan
After the assurance review, work through any remediation actions outlined in your IIP for objectives A and D. Addressing the issues identified throughout the CAF process can help you to build your cyber resilience.
5. Map the architecture of your critical systems
Estimated time to complete: 15 to 25 hours per system
Once you have completed an organisation self-assessment, you can start self-assessing your critical systems.
Start by creating system architecture diagrams of the critical systems you prioritised during scoping.
Find out how to map your critical systems architecture.
6. Self-assess your critical systems
Estimated time to complete: 60 hours per system
Evaluate how well your council is protecting against cyber attack (objective B) and detecting cyber security events (objective C).
We recommend you assess up to three critical systems a year, working towards the longer-term goal of assessing all your critical systems. This will support you to identify risks to your most important services.
Find out what a CAF self-assessment involves.
7. Assure your critical systems self-assessment and develop an improvement and implementation plan (IIP)
Estimated time to complete: 20 hours
Get an external view of your council’s ability to protect against cyber attacks and detect cyber security events.
Use the feedback from your assurer to create an improvement and implementation plan that outlines how you will improve the cyber resilience of your critical systems.
Find out about the independent assurance process, and then how to arrange independent assurance.
Work through the actions in your critical systems improvement and implementation plan
After the assurance review, work through any remediation actions outlined in your IIP for objectives B and C. Addressing the issues identified throughout the CAF process can help you to build your cyber resilience.
Submit your self-assessment to MHCLG
Following your self-assessments, you can submit your assurance report and improvement and implementation plan to MHCLG.