Answers to your questions about the CAF for local government

Answers to some of your common questions about the CAF for local government.

Email [email protected] to ask us a question or share your feedback on the service.
 

Questions about compliance

Will the CAF replace or consolidate other government assurance schemes?

MHCLG is aware that there are a number of cyber compliance regimes that councils are required to interact with as part of their data sharing agreements with government departments. We know this can be challenging and require considerable time, and that councils are looking for greater clarity and less duplication.

The Government Cyber Security Strategy makes it clear that the CAF is the future, and there is a clear opportunity for government departments to rationalise the amount of standards and reporting that exist.

We are working to further understand and progress in this area while we support you to start using the CAF.

While councils will still need to comply with existing standards and requirements, such as PSN, we hope that councils will appreciate the broader value of undertaking a CAF assessment.

Will there be a library of risk assessments available for commonly-used, true-SaaS, systems so councils don’t need to duplicate assessments others have already done?

The Get CAF Ready programme is helping us to build a better understanding of common systems councils are using. This, along with future CAF submissions, will help us to build a better understanding of the challenges the sector faces so we can consider how MHCLG can provide support.
 

Questions about assurance

Who and what does independent assurance involve, and what outcomes does it produce?

The independent assurance review gives you an external view of how resilient your council currently is. It confirms that your assessment reflects how you are protecting your critical systems and organisation.

The assurance process:

• confirms where you are making appropriate efforts to mitigate against common cyber attacks
• identifies areas for improvement that you can prioritise
• helps you communicate findings and next steps to your senior leaders, so everyone can understand your cyber risk

It also supports MHCLG to build an accurate picture of cyber security in the local government sector.

How do I assure my organisational self-assessment?

MHCLG is inviting councils who would like to assure their organisational self-assessment to email [email protected].
MHCLG will arrange independent assurance through our contract with Bridewell.

Resources are limited and will be allocated on a first-come, first-served basis. If there is availability, a member of the assurance team will contact you to arrange an introduction.

Find out more about the independent assurance process.
 

Questions about senior leadership buy-in

Who is ensuring buy-in from senior leadership?

In a letter to local authority leaders in October 2024, Minister McMahon, the Minister of State for Local Government and English Devolution, outlined how local leadership is key for the CAF for local government to be an effective tool, because it requires organisation-wide collaboration and advocacy at senior leadership level.

Senior leaders can support their organisation to undertake a CAF for local government assessment by:

• discussing how best to take forward a CAF assessment with their senior management team
• allocating resources and prioritising the CAF for local government
• ensuring that your assessment and progress is discussed at board level
• promoting a positive cyber security culture across the organisation

As part of our continued development of the CAF, we want to continue to learn from councils and hear feedback, so that we can identify how to develop the service and our support to the sector. This includes learning about what councils believe they need from their senior leaders. You can share your feedback by emailing [email protected].
 

Questions about CAF roles and responsibilities

Which teams should be involved in completing a CAF assessment? Is it solely for the IT teams to handle?

Completing the CAF for local government self-assessment involves collaboration with teams across your organisation. This includes your cyber, governance, data protection, risk, finance and wider business teams.

The CAF for local government can support councils to embed a culture of cyber security across their whole organisation and not just solely as an activity for IT teams.

Find out more about the roles and responsibilities required for completing a CAF assessment.

Does the CAF require project management engagement?

Following the completion of the Get CAF Ready programme, we will be doing further analysis on whether the CAF requires project management engagement as part of our ongoing work on the full design of the CAF for local government.

How much resource should we allow to complete a CAF assessment?

We have published estimated timescales for each stage of the CAF for local government on Security.gov.uk.
 

Questions about completing the CAF

Once I have completed a CAF assessment and had it assessed, will there be an ongoing assessment process?

We are still learning from the initial rollout of the CAF for local government and the CAF20 pilot to iterate the live service, and will provide more information on the future of the CAF in due course. We believe that, if used routinely, this self-assessment can serve as a method for good risk management at a local authority level.
 

Questions about MHCLG’s wider cyber programmes

Are there any plans for MHCLG to help procure a SoC for councils?

Local Digital is building its ‘Defend as One’ capabilities, to empower local authorities to address collective cyber threats by promoting collaboration and knowledge sharing across government and the broader sector for a unified, proactive, defensive cyber security approach.

Find out more about our cyber work.