GovAssure guidance
GovAssure is the cyber security assurance scheme for assessing the critical systems of government organisations. It was developed by the Government Security Group (GSG) and the National Cyber Security Centre (NCSC), and is intended to:
- enable government organisations to accurately assess the level of cyber assurance for their critical systems, highlighting priority areas for improvement
- allow GSG and the NCSC to take a strategic view of government resilience and develop a roadmap to truly ‘Defend as One’
GovAssure assesses systems against one of two target Cyber Assurance Framework (CAF) profiles for government: the Baseline or the Enhanced profile. It can be tailored to fit an organisation’s context and uses third-party reviewers to ensure objectivity. The scheme delivers an outcomes-based assessment, with recommendations that are supported by targeted improvement plans.
Participating organisations can demonstrate how they actively manage and report on cyber capabilities, risk, and resilience. They can also improve the security of their networks and information systems, and measure progress against the requirements of the Government Cyber Security Standard.
GovAssure stages
The GovAssure scheme is comprised of 5 stages:
Stage 1: Describe the organisation’s context and services
(Owned by the organisation)
A scoping exercise to document the organisation’s mission and the context in which it operates, and to identify all the essential services it is responsible for.
Stage 2: Identify the in-scope systems and assign the Government CAF profile
(Owned by the organisation and GSG)
Identification and prioritisation of the critical systems on which the essential services rely, and determination of the CAF profile (Baseline or Enhanced) that should be assigned to each one.
(Owned by the organisation and GSG)
A self-assessment for each critical system within scope against the CAF Guidance documentation. GSG provides examples for the organisation on WebCAF to consult during the assessment. including:
- 6 steps to conduct self-assessment
- Components of CAF and using WebCAF
- CAF Dependencies
(Owned by the assessor, the organisation, and GSG)
The self-assessment is reviewed and verified by an assessor.
Note: Lead government departments (LGDs) and government critical national infrastructure (CNI) organisations must undertake an independent assurance review. Other organisations may opt for a peer review process instead.
Stage 5: Final assessment and targeted improvement plan
(Owned by the independent assessor, the organisation, and GSG)
A final report is produced, including observations, recommendations, and an assessment against the target CAF profile for each system.
Systems in scope
GovAssure applies to the critical systems of government classified as OFFICIAL, and therefore is not suitable for systems processing information at SECRET and above.
Additionally, GovAssure also applies to systems that are considered government critical national infrastructure (CNI), according to the formal CNI criteria.
If you are unsure whether GovAssure is suitable for your systems, contact the GovAssure team for advice: cybergovassure@cabinetoffice.gov.uk
How to prepare for GovAssure
Government organisations can prepare for GovAssure with the how to prepare for GovAssure guidance.
Further reading
Government Cyber Security Policy Handbook