Cyber Assessment Framework for Local Government

The DLUHC Local Digital team is supporting councils in England to build their cyber resilience and meet the aims and objectives of the Government Cyber Security Strategy.

On this page you can find out why we are developing a service to assess and understand cyber resilience in local government, and what this will mean for councils.

About the Cyber Assessment Framework (CAF)

To provide a clear cyber security standard for the local government sector, DLUHC will be introducing the Cyber Assessment Framework (CAF) for Local Government from 2024.

The Cyber Assessment Framework (CAF) was developed in 2018 by the National Cyber Security Centre (NCSC). It’s designed to help organisation’s take a systematic approach to assessing the extent to which they are managing their own cyber security risks.

Lead government departments are required to adapt the CAF in a way that is appropriate for the public sector organisations within their scope. DLUHC is currently developing supporting documentation, guidance and templates to guide the local government sector through the CAF.

What the CAF will mean for councils

The aim of the CAF is to promote and introduce good cyber security and resilience in organisations, so that the impact of attacks can be minimised. This means cyber attacks can be more quickly detected, and are easier to recover from.

Once the CAF for Local Government has launched, councils will be responsible for undertaking the CAF and using the assessment to manage their own cyber security.

DLUHC will use the results to understand any risks or issues within the sector. We will then consider how these risks can be addressed.

Follow the progress of the CAF for Local Government

Subscribe to the Local Digital newsletter for regular updates on our cyber resilience work, plus news and events relevant to those working in and around local government cyber security.

Timeline

2020: Understanding cyber security in local government

In 2020 we completed a pre-discovery phase to understand the current cyber security threats, challenges and capabilities that exist at a local government level.

We then moved into a discovery phase to investigate how DLUHC might support local authorities to reduce the incidence and impact of cyber attacks, and support sustainable cyber health.

A Cyber Health Framework was identified as one of the main areas of opportunity to progress into an alpha project, to support council staff to navigate numerous and sometimes overlapping standards. Read more about what we learned during discovery.

2021: Exploring the development of a cyber health tool

In 2021 we carried out an alpha project to explore the development of a tool and framework to support local authorities to achieve a recommended level of cyber health.

2022: Interpreting the CAF for local government

The introduction of the Government Cyber Security Strategy in 2022 changed the team’s direction towards the NCSC’s Cyber Assessment Framework (CAF).

In late 2022 we conducted a pilot with 10 councils in England to explore how the NCSC’s Cyber Assessment Framework (CAF) could be used to help assess and manage cyber risks across the sector.

The pilot was our first step in understanding how a cyber security baseline for local government might work. You can read more about the pilot in the CAF for Local Government report.

The pilot confirmed that although the CAF could be used effectively by the sector, the scope was too broad to make it a useful tool for local government.

2023: Building a CAF service (discovery)

From May 2023 to February 2024 we carried out further testing of the CAF with the Future Councils pilot councils, with a narrower scope. This included testing documentation, guidance and templates to help guide the councils through a CAF assessment. We gathered feedback and research from their experience to understand how other councils can best apply the CAF to their organisations.

At the same time, we carried out a discovery to identify what a CAF service could look like in order to support the sector-wide implementation of the CAF.

2024: Building a CAF service (alpha)

In February we kicked off an alpha project to design and test a service to help councils get ready for the CAF, assess themselves against it, and submit the CAF to DLUHC. You can read about how we’re developing the service in this blog post on DLUHC Digital.

More information on the project and updates on our progress will be shared on this webpage.