In October 2024, the MHCLG Local Digital team launched the Cyber Assessment Framework (CAF) for local government to set a clear cyber security standard for the sector.

The CAF for local government has been adapted from the National Cyber Security Centre’s CAF to meet the sector’s specific needs. 

We’re taking an iterative, user-centred design approach to building and introducing the service, which will be launched in stages.

Our collaborative design approach

Collaboration is at the heart of the new CAF for local government service. 

Since the Government Cyber Security Strategy was published, we’ve been working with councils to test how we could apply the CAF to local government and understand the support councils need. 

During the latest pilot phase, we worked closely with 20 councils to understand the sector’s needs and design guidance and support materials to meet these requirements. Each part of the service has been iterated based on feedback surveys, interviews, and group sessions with pilot councils. Learn more about the pilot in our previous blog post

Through this collaborative process, we learned that councils need information in digestible formats, accessible to non-technical users, and communicated in a language they understand. 

We also identified that councils were struggling with particular areas, including identifying and prioritising their critical systems and mapping their network architecture. In response, we launched Get CAF Ready to help councils navigate the most challenging parts of the assessment process. Over 200 councils signed up to Get CAF Ready and are close to completing these activities. 

These programmes have helped us to understand more about what councils find difficult, so we can design a future support service to help them overcome these pain points. 

“This time round the CAF feels more achievable. Three years ago when talking to other councils they said "this has been built for companies with tons of money, this is unachievable." Now this time round you look at it and think, yes that’s better; we can do this.” CAF pilot participant 

Why we’re launching in stages 

The initial stages of the CAF for local government are now available on the new UK Government Security website, with final stages planned for release Spring 2025. 

Launching gradually means councils can begin their assessment process while we continue to develop and refine the service. There will be regular opportunities to give feedback before the full service is available. 

We’re still exploring areas such as:

how the CAF for local government fits within the wider cyber compliance landscape, including opportunities for greater clarity and rationalisation additional support councils may need to complete the CAF, including training for senior leaders how councils can submit their final assessment simply and securely

Using the Government Security service

We considered multiple options for hosting the CAF for local government before deciding on Government Security – a new site which will be the home of cyber security information for government. 

So far, most of the information on the site is aimed at central government. By introducing the CAF for local government, we’re hoping it will be the ‘go to’ resource for local government cyber security information too.

The Government Security service met our design and functionality needs with a clear, easy-to-navigate interface, while also being built with security in mind. 

As with any new service, there may be some initial challenges. We’ll be learning from the interactions with the site and make improvements as needed. 

The next steps for the CAF for local government

Councils who want to get started can access the first three stages of the CAF for local government: 

Prepare for the CAF Set your scope Self-assess your organisation 

We aim to launch the independent assurance stage by the end of the year, where submissions can be reviewed by an independent provider. 

Next year, councils will be able to start the assessment of their critical systems. The CAF for local government looks at cyber security through two lenses: the whole organisation and critical systems. The assessment is split accordingly. 

The organisational assessment evaluates the council's overall approach to risk management and minimising the impact of cyber security incidents, covering objectives A and D of the NCSC's CAF. The critical system self-assessment is focused on technical controls that protect critical systems from cyber attacks and detect cyber security events, covering objectives B and C of the CAF.

By spring 2025, the full service will be available and councils will be able to submit their assessments to MHCLG.  

You can visit our CAF for local government webpage and subscribe to the CAF newsletter for the latest updates.