Cyber Assessment Framework for local government

The MHCLG Local Digital team has launched the Cyber Assessment Framework (CAF) for local government to set a clear cyber security standard for the sector.

Working with councils and cyber security experts, we have adapted the National Cyber Security Centre’s CAF to help you assess and improve your council’s cyber resilience and address vulnerabilities that could disrupt critical services.

The initial stages of the CAF for local government are now available as part of a phased release, enabling you to start using the tool while we continue to develop it based on feedback.

Why we’ve introduced the CAF for local government

Cyber attacks affecting the public sector are increasing. They can impact essential services, threaten the confidentiality of residents, and lead to significant financial costs.

In line with the Government Cyber Security Strategy (2022-2030), we have tailored the CAF (created by the National Cyber Security Centre) in a way that is suitable for the sector. We conducted a number of pilots to test the CAF for local government as a tool for councils and identify what support councils need to be able to undertake the assessment. Find out more about our pilot phases in this blog post. 

Completing the CAF for local government helps your organisation build a strong foundation of resilience, so your council can understand and manage risk appropriately. The CAF for local government will also inform MHCLG’s understanding of the sector’s cyber security risks and issues, so we can consider how these can be addressed. 

What the CAF for local government involves

Undertaking the CAF for local government is an ongoing, collaborative process that takes a whole-organisation approach to cyber security. It encourages engagement across various council functions, including risk management, business continuity, and key services.

Key steps of the CAF for local government include:

  • identifying the critical systems your organisation relies on
  • completing self-assessments of both your organisation and its critical systems
  • an independent assurance review
  • developing an improvement and implementation plan to address your organisation’s vulnerabilities

How the CAF for local government relates to other cyber frameworks and standards

Undertaking the CAF for local government is voluntary. It does not replace existing cyber security standards such as PSN. 

We are aware that there are a number of cyber compliance regimes councils have to interact with. We are working to understand and progress this area while we support you to start using the CAF for local government. 

Find out more about how the CAF for local government relates to other cyber standards 

How to get started

On the new UK Government Security website, you can find guidance on preparing to start the CAF for local government, setting the scope of your assessment, self-assessing your organisation, and the independent assurance review.

What’s next

We have now launched the first four stages of the CAF for local government, with the full service available by spring 2025. This phased approach will enable us to continue learning from our group of pilot councils and the wider sector. Learn more about how we’re designing a user-centred service.

Cyber Assessment Framework winter overview timeline graphic

Sign up to receive updates about the CAF for local government

For the latest guidance and information on the CAF for local government, sign up to our CAF newsletter.