GovAssure was developed by the Government Digital Service (GDS) and the National Cyber Security Centre (NCSC). It provides government with visibility of its cyber security risks and a common framework to more effectively understand and manage them.

How GovAssure works for organisations 

GovAssure recognises the difference between government organisations both in size and in the way they work. It is designed for you to use the assessment process to suit your organisation’s own context.

If you are not sure about the relevance of any part of GovAssure for your organisation, you can contact one of the GDS cyber advisors on cybergovassure@cabinetoffice.gov.uk. 

The GovAssure assessment process uses the NCSC’s Cyber Assessment Framework (CAF) to help organisations assess and improve their cyber security and resilience. Third party reviewers are used to ensure the observations and recommendations provided to organisations are objective and informed by industry best practice.

GovAssure allows your government organisation to: 

• accurately assess the level of cyber security and resilience for your critical systems and highlight priority areas for improvement
• measure progress against the requirements of the Government Cyber Security Standard, and improve the security of your networks and information systems

Systems that can be assessed using GovAssure 

The GovAssure process is suitable for critical government systems classified as OFFICIAL. It is not suitable for systems processing information at SECRET and above.

You must use GovAssure to assess OFFICIAL systems that are considered government-sector CNI. Organisations with government-sector CNI will know which of their systems this applies to.

Working with GDS cyber advisors

If you are a Lead Government Department (LGD) or an organisation with government-sector critical national infrastructure (CNI), you will have a dedicated cyber advisor from GDS to support you while you prepare and complete your self assessment.

GDS cyber advisors will help you to:

• navigate each stage of the GovAssure process 
• finalise the scoping document for each assessment
• access WebCAF to work through your CAF self assessment
• review your CAF self assessment  to make sure that all fields have been completed correctly
• navigate filling in your organisation’s targeted improvement plan
  

Who your organisation will work with

You may collaborate with different internal and external stakeholders at each stage of GovAssure, including GDS and third-party reviewers.

For example, if you are a Lead Government Department or an organisation with government-sector critical national infrastructure (CNI) you will:

• be supported by a GDS cyber advisor during stages 1, 2 and 3
• work with your independent assessor during stages 4 and 5 with support from your GDS cyber advisor
  

Note: If you are a Lead Government Department (LGD) or a government critical national infrastructure (CNI) organisation, you must use an independent assessor to review your assessment. Other organisations can use a peer review process.

Working through the 5 GovAssure stages

The GovAssure process is made up of 5 stages, which must be completed in the following order.

Stage 1: Define your organisation’s context and services 

Stage 1 is the start of your internal scoping exercise. At this stage you will begin completing a scoping document and detail your organisation’s mission and the context in which it operates. You will also identify all of the essential services your organisation is responsible for.

Stage 2: Identify your in-scope systems and assign Government Cyber Assessment Framework (CAF) profiles

In stage 2 you will continue to use your scoping document to identify which critical systems your essential services rely on. You will also decide the number of systems you want to assess during the current year. 

During stage 2 you will decide which Government CAF profile (baseline or enhanced) to assign to each system that is being assessed.

Stage 3: Complete a WebCAF self assessment 

At stage 3, you will complete a WebCAF self assessment for the systems you are putting through GovAssure in the current year. You will record the scope of each system assessment in your scoping document.

Stage 4: Get an independent assurance review

During stage 4, your thirty-party reviewer will verify the content of your self assessment.

You will need to share your scoping document and all relevant evidence with the reviewer to enable them to complete their assessment. 

Stage 5: Final assessment and targeted improvement plan

At stage 5, your reviewer will produce a final report which includes:

• their observations
• an assessment against the target CAF profile
• recommendations for how your organisation can improve the cyber security and resilience of each system

You must share the assessor’s final report with your GDS cyber advisor. They will support you to navigate the completion of your organisation’s targeted improvement plan in the final step in the GovAssure process.

Next steps

If you are a Lead Government Department (LGD) or an organisation with government-sector critical national infrastructure (CNI) you should contact a GDS cyber advisor on cybergovassure@cabinetoffice.gov.uk for further information.

If you are an arm’s length body (ALB) or an organisation without government-sector critical national infrastructure (CNI) contact your parent department for further information on your next steps.