Skip to main content

https://mhclgdigital.blog.gov.uk/2024/03/14/developing-a-service-to-assess-and-understand-cyber-resilience-in-local-government/

Developing a service to assess and understand cyber resilience in local government

Posted by: , Posted on: - Categories: Cyber, Local Digital

The DLUHC Local Digital team is supporting councils in England to build their cyber resilience.

Through our work to date, we know that one of the challenges councils face is having a clear baseline standard to assess their cyber security. To address this, DLUHC will be introducing the Cyber Assessment Framework (CAF) for local government in 2024.

In this blog post, we’ll get you up to speed on our work to develop the CAF for local government and let you know how your council can start getting ready.

What is the Cyber Assessment Framework (CAF)?

The Cyber Assessment Framework (CAF) was developed in 2018 by the National Cyber Security Centre (NCSC) to help organisations assess the extent to which they’re managing their own cyber security risks.

The Government Cyber Security Strategy 2022-2030 outlines how lead government departments are required to adapt the CAF in a way that is appropriate for the public sector organisations within their scope. To guide the local government sector through the CAF, DLUHC is developing supporting documentation, guidance and templates. We’re calling this the Cyber Assessment Framework (CAF) for local government.

What the CAF will mean for councils

The aim of the CAF is to promote good cyber security practices and cultures in councils by allowing them to understand their cyber posture against a national benchmark.

Once it’s rolled out, councils will be responsible for undertaking the CAF and using the assessment to manage their own cyber security. DLUHC will use the results to understand any risks or issues within the sector, and consider how these risks can be addressed. This will likely include working closely with partners such as SOLACE or the Local Government Association (LGA).

How we’re developing the CAF for local government

Our vision is for councils to be able to undertake the CAF themselves, and to use their knowledge of their council and level of risk to decide what to prioritise for assessment. We’re keen to understand the resource required to undertake the CAF and to design the service to reduce additional burden on councils. By thoroughly testing the CAF with councils, we can identify the pain points and which elements are the most time and resource consuming.

The journey of developing the Cyber Assessment Framework

We first piloted the CAF with the local government sector in Autumn 2022 with 10 councils. This confirmed that although the NCSC’s CAF could be used effectively by the sector, the scope was too broad to make it a useful tool for local government.

Since May 2023 we’ve carried out further testing with 8 councils through the Future Councils pilot, but with a narrower scope. This has included testing local government-specific documentation, guidance and templates to guide the pilot councils through a CAF assessment. We have also undertaken a discovery project to explore what services DLUHC needs to build to support delivery of the CAF in local government.

Testing the CAF with councils

In February this year, we kicked off an alpha project to design and test a service to help councils get ready for the CAF, assess themselves against it, and submit it to DLUHC. Alongside the alpha project, we’ll be running a third pilot to test the service with a cohort of councils.

To help us support the sector ahead of the wider roll-out later this year, we’ve invited councils representing different areas of the country to take part in a  six-month pilot from March 2024. The pilot councils will receive £50,000 to adopt the CAF with minimal direct support from us, and to take part in user research and testing to help us refine the service.

Through this latest pilot, we want to understand:

  • whether the materials and products we’ve created are sufficient to guide councils through the CAF independently
  • the resource required for councils to undertake the CAF

We plan to share updates on the progress of the pilot on our CAF webpage and we’ll also be blogging about our progress.

Additional support to help councils prepare for the CAF

In order to complete the CAF, councils will be required to identify their critical systems and produce network architecture diagrams. We will be providing additional support to councils to enable them to do this before the CAF is rolled-out, including providing funding of £15,000 to each council that successfully completes the work.

We're currently testing guidance and conducting a series of workshops with a small group of councils before we make this support offer available to the rest of the sector in late Spring 2024. We will be able to share an update on this work at the end of March.

What your council can do to get ready for the CAF

Although the CAF for local government is still in development, we want to make sure councils are aware that it’s coming so they can start getting ready to undertake a CAF assessment.

We will share more information and guidance on how to get your organisation ready for the CAF over the coming months, as well as run a webinar to answer your questions – more info on that to come.

To follow our progress and hear about upcoming Show and Tells, make sure to:

You can also read more about Local Digital’s work to understand and improve local government cyber resilience on our website.

Sharing and comments

Share this page

4 comments

  1. Comment by Mark Thompson posted on

    Dear Team - all this is great, but in addition to the good work you all do, there's an increasingly urgent conversation to be had about digitally-enabled transformation of the entire LG sector. This recently came to the fore once again with proposals for a 'LG GDS' DDAT capability.

    Please see my piece about this in UKAuthority today: https://www.ukauthority.com/articles/should-councils-have-a-local-government-digital-service/

    It would be good for the public to see more about DHLUC's plans as a policy department for transforming (as opposed to tweaking at the edges) the delivery model for local services in the UK using digital thinking.

    Thanks in a advance

    Mark Thompson
    Professor of Digital Economy
    University of Exeter Business School