Questions about the CAF for local government

Answers to your questions about the CAF for local government

Answers to some of your common questions about the CAF for local government. These include:

is the CAF for local government moving to version 4.0?
how often will councils be expected to do a CAF assessment?
we’ve completed a self-assessment – what should we do next?
what if our council has done the Get CAF Ready programme?
we’ve requested assurance – when will an assurer get in touch?
should councils going through reorganisation still do the CAF?

Email [email protected] to ask us a question or share your feedback on the service.

Questions about CAF version 4.0

What is CAF 4.0?

You may be aware that the National Cyber Security Centre (NCSC) has launched version 4.0 of their Cyber Assessment Framework. This includes important updates to strengthen cyber resilience across sectors.

This update to the CAF introduces:

updates to security monitoring and threat hunting to improve detection of cyber threats
improved coverage of AI-related cyber risks throughout the framework
a new section on ensuring software used in essential services is developed and maintained securely
a new section building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions

These changes reflect the evolving cyber threat landscape and aim to strengthen resilience across all critical sectors.

Do councils need to continue with CAF 3.2?

Many councils have asked if they should pause work on the current version of the CAF (version 3.2). The answer is no – please continue, as your current work remains vital and will directly support future transition to CAF 4.0.

CAF 3.2 is still the recommended approach for councils in England.

Continuing your current assessment against CAF 3.2 will:

strengthen your council’s cyber resilience
help MHCLG understand sector-wide risks
ensure you’re not starting from scratch when CAF 4.0 is adopted

Will previous work on CAF 3.2 be wasted when MHCLG moves to CAF 4.0?

No. Any future transition will build on the work you’ve already done, not replace it. This means your efforts are not wasted.

The current CAF 3.2 is based on the same core principles as CAF 4.0 (objectives A to D, 14 principles, and contributing outcomes).

Questions about completing the CAF

How often will councils be expected to do a CAF assessment?

The CAF is a not a one-off exercise, but a tool you can use to continuously assess and improve your council’s cyber resilience.

Assessing your organisation (objectives A and D)

If you are doing the CAF for the first time, we recommend you start by self-assessing your organisation and then work through any remediation actions outlined in your improvement and implementation plan (IIP).

You should aim to do a full reassessment of your organisation every few years to maintain an up-to-date view of your cyber posture and risk.

You may also need to reassess your organisation if there are significant changes to:

your leadership or council structure (such as reorganisation)
the threat landscape, such as who could attack your organisation and why
your mission and priorities
your cyber risk appetite
the essential services that allow your council to operate and achieve your mission and objectives

Assessing your critical systems (objectives B and C)

Once you have completed your organisational self-assessment, move on to self-assessing your critical systems. We recommend you assess up to three systems a year. Your longer-term goal should be to assess all your critical systems. This will support you to identify cyber risks that could disrupt your most important services.

We’re interested to learn how you plan to use the CAF as part of your routine risk management and business planning. Email [email protected] to share your feedback.

We’ve completed a self-assessment – what should we do next?

Once you’ve completed a self-assessment you should work with an independent assurer to develop an improvement and implementation plan (IIP). Your IIP outlines how you plan to address the issues you’ve identified and is an important step in building your cyber resilience.

You can then submit your finalised report and IIP to MHCLG. This will help us understand cyber security risks and issues within the sector, so that we can consider how to support the sector in addressing these.

If you’ve got an IIP

Work through the recommended actions. You may be asked to update MHCLG on your progress against your IIP so that we can understand what issues you may be facing and how we might support you to address them.

If you’re already working on your IIP

While working on your recommended actions, you can also get started on your next self-assessment. For example, while you’re working through the actions for your organisation (objectives A and D), you could start assessing one of your prioritised critical systems (objectives B and C).

If you’re waiting for assurance

Complete this form to request assurance from MCHLG and we will contact you once an assurer is available. Thank you for your patience if you have already requested assurance.

What if our council has done the Get CAF Ready programme?

By completing Get CAF Ready, you have gained the skills and knowledge to identify and prioritise critical systems and map system and network architecture. You can use this to start the self-assessment of your critical systems.

If you have not done so already, you should start by preparing your council for the self-assessment, including planning your schedule and identifying key roles and responsibilities.

Questions about local government reorganisation

Should councils going through reorganisation still do the CAF?

Yes. We recognise that councils undergoing reorganisation may be focussing their capacity and resources elsewhere. However, the cyber threat to councils remains high and it is important that you have plans in place to address the risks you face.

The CAF for local government supports all councils to:

identify cyber risks that could disrupt your most important services
improve your resilience to potential cyber attacks
know what areas to prioritise through actionable recommendations – so you spend your time and money efficiently
embed a culture of cyber security across your whole organisation – not just within your IT teams

For councils undergoing reorganisation, the CAF can help you build strong foundations from the start. We recommend you start with the organisational assessment (objectives A and D) which will be particularly helpful in establishing good governance and a culture of cyber security in newly formed councils. You can then move on to assessing your critical systems.

Find out what the CAF self-assessments involve.

Questions about assurance

We’ve requested assurance – when will an assurer get in touch?

We are currently switching to a new cyber support supplier, so there may be a short break before we can restart assurance.

You should continue with your self-assessment while you wait. If you have completed an organisational self-assessment (objectives A and D) and are waiting for assurance, we recommend you start self-assessing your critical systems (objectives B and C).

Please complete this form to request assurance and we will contact you to arrange an onboarding call as soon as a supplier is in place.

Questions about senior leadership buy-in

Senior leaders can support their organisation to undertake a CAF for local government assessment by:

discussing how best to take forward a CAF assessment with their senior management team
allocating resources and prioritising the CAF for local government
ensuring that your assessment and progress is discussed at board level
promoting a positive cyber security culture across the organisation

You can find guidance on how to introduce the CAF to your senior leadership team on Security.gov.uk.

Go to Local Digital homepageALPHA