In September 2022, the DLUHC Local Digital team kicked off a pilot with a cohort of councils to explore how the NCSC’s Cyber Assessment Framework (CAF) could be used to help assess and manage cyber risks across local government in England.
The first phase of the pilot has seen us undertake more than 50 hours of workshops with 10 councils from across England as we’ve worked through the four objectives outlined in the CAF.
As this phase comes to an end, we’re keen to share some initial insights and feedback with you before we move into the next phase.
Read on to find out what’s next for the pilot in 2023, and how to register for the Show and Tell in January to hear more about our findings.
Exploring a cyber assessment framework for local government
Since September, we’ve been working closely with our pilot councils to gather thoughts and feedback about the CAF and the value it could add in their organisation. We’ve also been exploring more complex questions such as how to scope the assessment, and whether a single assessment would be a realistic and meaningful reflection of a whole council IT network.
We also wanted to test what a proportionate CAF profile for councils might look like – in other words, which of the 39 CAF Outcomes should councils be aiming to ‘fully achieve’ or ‘partially achieve’ as a minimum.
Selecting the councils
While our pilot cohort needed to be small to allow us to get into detail, we wanted to make sure we were engaging with a group of councils representative of some of the common challenges and postures across the sector.
We invited over 30 councils to submit short expressions of interest, and from the responses we selected a group of 10 councils with a good level of variation across factors such as size, geography, cyber maturity, and IT model (for example, in-house, outsourced and shared services).
Our pilot councils have been working through the four objectives outlined in the NCSC’s Cyber Assessment Framework, carrying out a self-assessment against each of the 39 Outcomes and providing additional user feedback in an Excel workbook that we created for the task.
As they moved through the self-assessment, they were invited to one-to-one workshops with our DLUHC team to discuss the user experience and the finer points of their assessment.
Now that the workshops are complete, we’re keen to share some early insights from the process.
Initial insights from the first phase of the CAF pilot
1. Assessing against the CAF adds value
Using the CAF helped IT leads to consider new questions and identify areas for improvement, particularly across data storage, governance and documentation.
The content of the CAF is useful and relevant to the sector but additional clarification or complementary guidance would be helpful in some areas.
The CAF was also seen as a potentially helpful tool to support discussions about cyber risk across the business. However for this to be effective, there needs to be engagement and participation from colleagues and leaders outside of the IT team.
The councils participating in the pilot told us:
- “We're used to doing technical assessments, but this is more than that, and already it's made us look at an area we had been ignoring.”
- “It certainly highlighted some things that do need to be fixed and some things we're doing alright on – it's a good exercise!”
- “There is a base level understanding at board level, but in order to achieve certain areas of the CAF, we would need to have a wider understanding of cyber, to feel like the board are more meaningfully involved in making decisions, rather than having the decisions made for them.”
- “The data questions gave me the most challenges, because IT is less involved in that than we've ever been…it highlighted that I should know these things, but it's a new experience that I can't answer something in response to a security assessment.”
2. The draft CAF profile is challenging, but not necessarily disproportionate
The draft CAF profile we tested during the pilot is intended to help set a proportionate baseline for the sector, and be reflective of a posture resilient to common vulnerabilities and low-level attacks. For example, it sets out that while Outcome ‘A1a Board Direction’ should be “fully achieved” as a minimum, for Outcome ‘A4a Supply Chain’ “partially achieved” might be an acceptable posture for a council.
This is not to say that ‘good’ will look the same for everyone.
Achieving some parts of the profile will require time, money and effort, but participants generally agreed that this is not a reason to lower the bar.
IT leads would also like to see a way to recognise improvement against outcomes that are not yet being met or partially met.
The councils participating in the pilot told us:
- "If that's what's seen as secure then if you achieve it, you achieve it, and if you don't, you don't – I don't think there should be allowances because we're a council"
- “The profile is set fairly. There were only one or two sections that raised a couple of eyebrows...but we’re confident that once work-in-progress is complete, they will be met. There's nothing in there that we couldn't or shouldn't do.”
- “It's about the degree we need to go into as a small organisation. It felt overwhelming for a small organisation that doesn't try to meet any defined external standards.”
The CAF profile is still in draft but we hope to share it with the sector early next year.
3. We still need to define the scope and ‘essential functions’
Many of the IT leads we spoke to were unsure of how to define ‘essential functions’ in the context of their organisations. This is a question that will require more engagement across the sector to get right.
We also collectively struggled with how to approach scoping the assessment. Participants agreed with our starting assumption that the assessment should cover the entire council IT network, but we did find some challenges in practice which we’ll need to keep working through.
The councils participating in the pilot told us:
- “I felt the scope was representative. Yes, it gave me problems, but I would have expected it to. Problems are not a bad thing when it comes to scope.”
- “We do struggle to define essential functions at the council. Every service and every function is critical.”
- “I can't see how you would only select certain systems to define as ‘essential systems’, as they're all integrated into your corporate functions… you could interpret that as just what [services] councils have to legally deliver. But a lot are discretionary, though in reality you have to do them.”
- “‘Essential functions’ is weird wording to me. In local government, if it's not essential, you don't do it.”
There’s more to come…
We’re still busy analysing the feedback we’ve collected through this phase of the pilot, and will publish more about what we’re learning in early 2023.
We’re also hosting a Show and Tell on Wednesday 25 January where you can learn more about the pilot, hear key findings and insights, and listen to members of the pilot council cohort share their experience – register for the event on Eventbrite.
Next steps for the CAF pilot
Findings and feedback so far support that adopting the CAF can add genuine value for councils, and we should continue with this approach. In the new year, the second phase of this work will see Local Digital continuing to examine questions raised through the pilot, as well as starting to explore options for external validation of assessments, and reporting into central government.
The expectation is that adopting the CAF will not only help councils to manage risks in a clearer, more comprehensive way, but will enable better information sharing to help identify sector-level risks and understand where more support is needed.
If you are already using, or are about to start using, the CAF in your council then please complete this short survey to let us know! We’d love to hear more about how you’ve approached it and how it’s working for you.
On the other hand, if the CAF is still an unknown acronym, why not start familiarising yourself with it?
You can follow the progress of this work on our usual channels, and we look forward to more CAF discussions in the new year: