The DLUHC Local Digital team is supporting councils in England to build their cyber resilience.
Through our work to date, we know that one of the challenges councils face is having a clear baseline standard to assess their cyber security. To address this, DLUHC will be introducing the Cyber Assessment Framework (CAF) for local government in 2024.
In this blog post, we’ll get you up to speed on our work to develop the CAF for local government and let you know how your council can start getting ready.
What is the Cyber Assessment Framework (CAF)?
The Cyber Assessment Framework (CAF) was developed in 2018 by the National Cyber Security Centre (NCSC) to help organisations assess the extent to which they’re managing their own cyber security risks.
The Government Cyber Security Strategy 2022-2030 outlines how lead government departments are required to adapt the CAF in a way that is appropriate for the public sector organisations within their scope. To guide the local government sector through the CAF, DLUHC is developing supporting documentation, guidance and templates. We’re calling this the Cyber Assessment Framework (CAF) for local government.
What the CAF will mean for councils
The aim of the CAF is to promote good cyber security practices and cultures in councils by allowing them to understand their cyber posture against a national benchmark.
Once it’s rolled out, councils will be responsible for undertaking the CAF and using the assessment to manage their own cyber security. DLUHC will use the results to understand any risks or issues within the sector, and consider how these risks can be addressed. This will likely include working closely with partners such as SOLACE or the Local Government Association (LGA).
How we’re developing the CAF for local government
Our vision is for councils to be able to undertake the CAF themselves, and to use their knowledge of their council and level of risk to decide what to prioritise for assessment. We’re keen to understand the resource required to undertake the CAF and to design the service to reduce additional burden on councils. By thoroughly testing the CAF with councils, we can identify the pain points and which elements are the most time and resource consuming.
We first piloted the CAF with the local government sector in Autumn 2022 with 10 councils. This confirmed that although the NCSC’s CAF could be used effectively by the sector, the scope was too broad to make it a useful tool for local government.
Since May 2023 we’ve carried out further testing with 8 councils through the Future Councils pilot, but with a narrower scope. This has included testing local government-specific documentation, guidance and templates to guide the pilot councils through a CAF assessment. We have also undertaken a discovery project to explore what services DLUHC needs to build to support delivery of the CAF in local government.
Testing the CAF with councils
In February this year, we kicked off an alpha project to design and test a service to help councils get ready for the CAF, assess themselves against it, and submit it to DLUHC. Alongside the alpha project, we’ll be running a third pilot to test the service with a cohort of councils.
To help us support the sector ahead of the wider roll-out later this year, we’ve invited councils representing different areas of the country to take part in a six-month pilot from March 2024. The pilot councils will receive £50,000 to adopt the CAF with minimal direct support from us, and to take part in user research and testing to help us refine the service.
Through this latest pilot, we want to understand:
- whether the materials and products we’ve created are sufficient to guide councils through the CAF independently
- the resource required for councils to undertake the CAF
We plan to share updates on the progress of the pilot on our CAF webpage and we’ll also be blogging about our progress.
Additional support to help councils prepare for the CAF
In order to complete the CAF, councils will be required to identify their critical systems and produce network architecture diagrams. We will be providing additional support to councils to enable them to do this before the CAF is rolled-out, including providing funding of £15,000 to each council that successfully completes the work.
We're currently testing guidance and conducting a series of workshops with a small group of councils before we make this support offer available to the rest of the sector in late Spring 2024. We will be able to share an update on this work at the end of March.
What your council can do to get ready for the CAF
Although the CAF for local government is still in development, we want to make sure councils are aware that it’s coming so they can start getting ready to undertake a CAF assessment.
We will share more information and guidance on how to get your organisation ready for the CAF over the coming months, as well as run a webinar to answer your questions – more info on that to come.
To follow our progress and hear about upcoming Show and Tells, make sure to:
You can also read more about Local Digital’s work to understand and improve local government cyber resilience on our website.
4 comments
Comment by Mark Thompson posted on
Dear Team - all this is great, but in addition to the good work you all do, there's an increasingly urgent conversation to be had about digitally-enabled transformation of the entire LG sector. This recently came to the fore once again with proposals for a 'LG GDS' DDAT capability.
Please see my piece about this in UKAuthority today: https://www.ukauthority.com/articles/should-councils-have-a-local-government-digital-service/
It would be good for the public to see more about DHLUC's plans as a policy department for transforming (as opposed to tweaking at the edges) the delivery model for local services in the UK using digital thinking.
Thanks in a advance
Mark Thompson
Professor of Digital Economy
University of Exeter Business School
Comment by The Local Digital team posted on
Hi Mark,
Thanks for your comment and link to the article. We've stopped our work on the Local Digital Fund and pivoted to a more strategic stewardship approach recently.
In part, this is because our research shows us that it's how we think we can be most effective, but also because we agree that more targeted, cross-sector transformation is needed. Interoperability and data standards are amongst some of the first things we're working on, but we're also talking to CDDO and other departments about their next 5 year strategies and how local government should be included.
Legislative change is absolutely something that we're considering (and using in Open Digital Planning), but as you say, it's only the start - while also taking years to implement. We're aiming to deliver change faster than that!
Our work on CAF is one of the things we're driving forward because we need to raise the standards of cyber security across the local sector. It's a key part of our work, but only one part. We'll be publishing more on standards and adoption soon. In the meantime, we have a high level blog about the recent pivot: https://dluhcdigital.blog.gov.uk/2024/02/19/local-digital-update-adapting-our-approach-to-support-the-sector/
Comment by Mark Thompson posted on
Thanks for your comment - much appreciated. It's good to hear that standards/adoption is a core focus. As inputs to your thinking, you might be interested to take a look at this:
https://www.computerweekly.com/opinion/A-local-government-GDS-might-work-but-only-on-top-of-standard-technology
and this
https://www.computerweekly.com/opinion/Introducing-focus-and-leverage-the-value-algorithm-of-the-internet-era
and this
https://www.computerweekly.com/opinion/Searching-for-the-signal-of-open-standards-amid-the-growing-noise-of-agile
...there seems to be quite a bit of debate exploding in the sector around how to conceptualise the future digitally-enabled operating model for local government. My own view, for what it's worth, is that it would be good to see the great work that you do elevated out of the 'tech team' space and becoming a top policy priority (informed by digital) for the department, with ministerial oversight.
Comment by The Local Digital team posted on
Thanks Mark. We agree! Keep an eye on the blog over the next couple of weeks to hear more about our work on standards.