Cyber Assessment Framework for local government

The MHCLG Local Digital team has launched the Cyber Assessment Framework (CAF) for local government to set a clear cyber security standard for the sector.

Working with councils and cyber security experts, we have adapted the National Cyber Security Centre’s CAF to help you assess and improve your council’s cyber resilience and address vulnerabilities that could disrupt critical services.

The initial stages of the CAF for local government are now available as part of a phased release, enabling you to start using the tool while we continue to develop it based on feedback.

Why we’ve introduced the CAF for local government

Cyber attacks affecting the public sector are increasing. They can impact essential services, threaten the confidentiality of residents, and lead to significant financial costs.

In line with the Government Cyber Security Strategy (2022-2030), we have tailored the CAF (created by the National Cyber Security Centre) in a way that is suitable for the sector.

Completing the CAF for local government helps your organisation build a strong foundation of resilience, so your council can understand and manage risk appropriately.

The CAF for local government will also inform MHCLG’s understanding of the sector’s cyber security risks and issues, so we can consider how these can be addressed.

What the CAF for local government involves

Undertaking the CAF for local government is an ongoing, collaborative process that takes a whole-organisation approach to cyber security. It encourages engagement across various council functions, including risk management, business continuity, and key services.

Key steps of the CAF for local government include:

identifying the critical systems your organisation relies on
completing self-assessments of both your organisation and its critical systems
an independent assurance review
developing an improvement and implementation plan to address your organisation’s vulnerabilities

How the CAF for local government relates to other cyber frameworks and standards

Undertaking the CAF for local government is voluntary. It does not replace existing cyber security standards such as PSN.

We are aware that there are a number of cyber compliance regimes councils have to interact with. We are working to understand and progress this area while we support you to start using the CAF for local government. Find out how the CAF for local government relates to other cyber standards.

What you can do now

We have now launched the first four stages of the CAF for local government, with the full service available by spring 2025. This phased approach will enable us to continue learning from our group of pilot councils and the wider sector.

You can learn more about how we’re designing the service on the MHCLG Digital blog.

Cyber Assessment Framework winter overview timeline graphic

How to get started

On the new UK Government Security website, you can find guidance on preparing to start the CAF for local government, setting the scope of your assessment, self-assessing your organisation, and the independent assurance review.

Find out how to get started

CAF for local government case studies

Learn about the experiences of councils who have already completed parts of the CAF for local government.

Video case study

Norfolk County Council

Norfolk County Council explain how the CAF for local government is helping to improve their cyber resilience.

Watch video case study

Audio testimonial

Maldon District Council

Maldon District Council share their experience of participating in the latest pilot of the CAF for local government.

Read blog post

Blog post

Hart District Council

Hart District Council are already seeing the benefits of taking part in the first CAF for local government pilot, including better awareness of cyber security across the organisation.

Read blog post

Sign up to receive updates about the CAF for local government

For the latest guidance and information on the CAF for local government, sign up to our CAF newsletter.