Government crest UK Ministry of Housing, Communities and Local Government (MHCLG)

Go to Local Digital homepageALPHA

Laying the foundations for better local public services

Answers to your questions about the CAF for local government

Answers to some of your common questions about the CAF for local government. These include:

  • when is the CAF for local government moving to version 4.0?
  • how often will councils be expected to do a CAF assessment?
  • we’ve completed a self-assessment – what should we do next?
  • we’ve requested assurance – when will an assurer get in touch?
  • should councils going through reorganisation still do the CAF?

Email [email protected] to ask us a question or share your feedback on the service.

Questions about CAF version 4.0

What is CAF 4.0?

In 2025 the National Cyber Security Centre (NCSC) launched version 4.0 of their Cyber Assessment Framework. This includes important updates to strengthen cyber resilience across sectors.

Version 4.0 of the CAF introduces four major changes:

  • updates to security monitoring and threat hunting to improve detection of cyber threats
  • improved coverage of AI-related cyber risks throughout the framework
  • a new section on ensuring software used in essential services is developed and maintained securely
  • a new section building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions

These changes reflect the evolving cyber threat landscape and aim to strengthen resilience across all critical sectors.

View all CAF 4.0 updates in the changelog (PDF)
 

When is the CAF for local government moving to version 4.0?

We plan to transition to version 4.0 of the CAF from September 2026.

This will enable us to:

  • review and set an appropriate CAF profile for local government for version 4.0
  • plan a realistic transition that avoids placing additional burden on councils

 

The NCSC released version 4.0 in 2025 – why is MHCLG taking so long to adopt it?

As part of the transition to version 4.0 of the CAF, we need to set an appropriate profile for local government. This will involve reviewing the 4.0 profiles set by the NCSC. Although the NCSC released version 4.0 in 2025, they have not yet released the accompanying CAF profiles.
 

What is MHCLG asking councils to do?

MHCLG will support councils to align their self-assessments to version 4.0 of the CAF. This includes assessing against the new contributing outcomes.

Use the guidance below to decide what to do now, based on where you are in your self-assessment journey.

Started a self-assessment

Action: continue your self-assessment against the current version (3.2).

Please complete this short form to let us know when you might be ready for independent assurance. This will help us plan and allocate assurance resource.

What happens next: we will support you to align your work to version 4.0 later this year.

Planning to start a self-assessment before September 2026

Action: start a self-assessment against version 3.2 using the existing workbooks.

What happens next: we will support you to align your work to version 4.0 later this year.

Completed a self-assessment, awaiting assurance

Action: no further changes are needed before your assurance review.

What happens next: your assessment will be assured against CAF 3.2. We will support you to align to version 4.0 in 2027.

Completed and assured a self-assessment

Action: if you are starting a new self-assessment, use the existing workbooks (version 3.2).

What happens next: we will support you to align your work to version 4.0 later this year.
 

Why should councils move to version 4.0?

Since the CAF version 3.2 was published, more high-profile cyber-attacks (like the Scattered Spider and JLR incidents) have occurred, and threat actors have changed their tactics in response to heightened security controls.

As a result, the NCSC have updated the CAF to account for this change in the threat landscape – specifically, they have refreshed objective C and added a substantial section on threat.

This means that CAF version 4.0 is more aligned to the threats that local authorities face in 2026 than the current version, which was published in 2019 (with only minor amends made in 2024).

Assessing your organisation and critical systems against the latest version of the CAF will mean that your council is taking appropriate steps to protect your essential services against cyber attack.
 

Will previous work on CAF 3.2 be wasted with the move to CAF 4.0?

No. The transition to version 4.0 builds on the work you’ve already done, it does not replace it. This means your efforts are not wasted.

Version 4.0 is based on the same core structure as the current version, with objectives A to D, 14 principles, and the contributing outcomes that underpin those.

The most significant changes in version 4.0 are in objective C. This means the move to version 4.0 is likely to have less impact on councils’ organisational self-assessment (objectives A and D).
 

What will happen if the NCSC releases further updates?

We are planning to replace the self-assessment spreadsheets and submission tool with a web application that will make completing and submitting assessments more user-friendly. This will also make it easier for us to roll out updates so that councils can assess themself against the latest version of the CAF for local government.

We recommend you subscribe to the CAF newsletter to hear about updates to the CAF for local government.
 

What CAF profile should we be working to?

As part of the transition to version 4.0 of the CAF, MHCLG needs to set an appropriate profile for local government. This will involve reviewing the 4.0 profiles set by the NCSC.

Although the NCSC released version 4.0 in 2025, they have not yet released the accompanying CAF profiles.

We aim to release an updated profile for local government, with supporting guidance, later this year.

In the meantime, you should continue to self-assess against the current version and profile (3.2). MHCLG will provide support to help you to transition to version 4.0.

The profile for local government is rated OFFICIAL-SENSITIVE and can be found on Security.gov.uk behind a sign-in, and in the self-assessment workbooks. Sign in to view the profile.
 

In a recent blog post you shared plans to make it easier for councils to complete a CAF assessment. When will you be getting rid of the spreadsheet workbooks?

In a blog post earlier this year, we said:

This year we’re going to evolve the CAF user journey, online guidance and resources to make it easier and quicker to complete CAF assessments. We’re looking to replace the self-assessment spreadsheets and submission tool with a web application to make completing and submitting assessments more user-friendly and secure.

We recently tested a prototype of a web application with councils and are using the insights we’ve gained to make improvements. We’ll be continuing to test and improve the application to ensure it meets the needs of councils completing a CAF assessment.

Questions about completing the CAF

How often will councils be expected to do a CAF assessment?

The CAF is a not a one-off exercise, but a tool you can use to continuously assess and improve your council’s cyber resilience.

Assessing your organisation (objectives A and D)

If you are doing the CAF for the first time, we recommend you start by self-assessing your organisation and then work through any remediation actions outlined in your improvement and implementation plan (IIP).

You should aim to do a full reassessment of your organisation every few years to maintain an up-to-date view of your cyber posture and risk.

You may also need to reassess your organisation if there are significant changes to:

  • your leadership or council structure (such as reorganisation)
  • the threat landscape, such as who could attack your organisation and why
  • your mission and priorities
  • your cyber risk appetite
  • the essential services that allow your council to operate and achieve your mission and objectives

Assessing your critical systems (objectives B and C)

Once you have completed your organisational self-assessment, move on to self-assessing your critical systems. We recommend you assess up to three systems a year. Your longer-term goal should be to assess all your critical systems. This will support you to identify cyber risks that could disrupt your most important services.

We’re interested to learn how you plan to use the CAF as part of your routine risk management and business planning. Email [email protected] to share your feedback.
 

We’ve completed a self-assessment – what should we do next?

Once you’ve completed a self-assessment you should work with an independent assurer to develop an improvement and implementation plan (IIP). Your IIP outlines how you plan to address the issues you’ve identified and is an important step in building your cyber resilience.

You can then submit your finalised report and IIP to MHCLG. This will help us understand cyber security risks and issues within the sector, so that we can consider how to support the sector in addressing these.

If you’ve got an IIP

Work through the recommended actions. You may be asked to update MHCLG on your progress against your IIP so that we can understand what issues you may be facing and how we might support you to address them.

If you’re already working on your IIP

While working on your recommended actions, you can also get started on your next self-assessment. For example, while you’re working through the actions for your organisation (objectives A and D), you could start assessing one of your prioritised critical systems (objectives B and C).

If you’re waiting for assurance

Complete this form to request assurance from MCHLG and we will contact you once an assurer is available. Thank you for your patience if you have already requested assurance.
 

What if our council has done the Get CAF Ready programme?

By completing Get CAF Ready, you have gained the skills and knowledge to identify and prioritise critical systems and map system and network architecture. You can use this to start the self-assessment of your critical systems.

If you have not done so already, you should start by preparing your council for the self-assessment, including planning your schedule and identifying key roles and responsibilities.

Questions about local government reorganisation

Should councils going through reorganisation still do the CAF?

Yes. We recognise that councils undergoing reorganisation may be focussing their capacity and resources elsewhere. However, the cyber threat to councils remains high and it is important that you have plans in place to address the risks you face.

The CAF for local government supports all councils to:

  • identify cyber risks that could disrupt your most important services
  • improve your resilience to potential cyber attacks
  • know what areas to prioritise through actionable recommendations – so you spend your time and money efficiently
  • embed a culture of cyber security across your whole organisation – not just within your IT teams

For councils undergoing reorganisation, the CAF can help you build strong foundations from the start. We recommend you start with the organisational assessment (objectives A and D) which will be particularly helpful in establishing good governance and a culture of cyber security in newly formed councils. You can then move on to assessing your critical systems.

Find out what the CAF self-assessments involve.

Questions about assurance

We’ve requested assurance – when will an assurer get in touch?

We are currently switching to a new cyber support supplier, so there may be a short break before we can restart assurance.

You should continue with your self-assessment while you wait. If you have completed an organisational self-assessment (objectives A and D) and are waiting for assurance, we recommend you start self-assessing your critical systems (objectives B and C).

Please complete this form to request assurance and we will contact you to arrange an onboarding call as soon as a supplier is in place.

Questions about senior leadership buy-in

Senior leaders can support their organisation to undertake a CAF for local government assessment by:

  • discussing how best to take forward a CAF assessment with their senior management team
  • allocating resources and prioritising the CAF for local government
  • ensuring that your assessment and progress is discussed at board level
  • promoting a positive cyber security culture across the organisation

You can find guidance on how to introduce the CAF to your senior leadership team on Security.gov.uk.

Get started on the CAF for local government

Guidance on the CAF for local government is available on the UK Government Security website.

Find out how to get started