The Local Digital Team at the Department for Levelling Up, Housing and Communities (DLUHC) is working on a version of the Cyber Assessment Framework (CAF) specifically for local authorities.
Its senior cyber product manager, Rachel Downs, outlined the plan in a presentation to the UKAuthority Resilience and Cybre4Good conference last week, saying that it builds on an earlier project to test the value of CAF in local government.
CAF, developed by the National Cyber Security Centre, provides guidance for organisations that are responsible for vitally important services and activities in assessing their cyber resilience capabilities.
Downs said the first pilot project, involving 10 councils, required a lot of direct support from the Local Digital team, and that it wants to help others carry out the process themselves.
“As part of this we are developing CAF Overlay, the collective term for all wraparound stuff we are adding to CAF for councils,” she said. “This is things like standalone guidance, templates, and other types of supporting material like video explainers.
“We are keen to make this as light touch as it can be, with the key information around scope and helping councils through the self-assessment process.”
Reporting service possibility
Local Digital is aiming to have the service in place by early next year, and there is a possibility that it could come with a reporting service on which councils could send back the results of their assessments.
It is also aiming to understand whether the CAF process imposes a burden on councils to inform future policy decisions.
Downs said that one of the results from the review of the first pilots, which took place late last year, was that several councils did not have the documentation to fully support the process, that this made it hard for them to understand the dependencies of different systems, and that they struggled with capacity and timescales.
A second round is now taking place under the Future Councils programme, involving eight local authorities and including an in-depth assessment of the CAF.
Scoping issue
“It’s important to mention that in the previous pilot we did not set a specific scope, but put the CAF out there and asked councils to apply it to their whole organisation, which was quite difficult,” she said.
“This time around we are asking councils to collect three critical systems and look at their underlying enterprise network, and we’re focusing on those for the assessments.
“Through that pilot we’re developing best practice, guidance materials, templates and a lot of documentation to support councils through this in the future; and we’re starting a discovery into some automated validation controls.
“We’re also trying to automate where possible to make it as easy as possible for councils to demonstrate they are meeting the requirements of the CAF.”
She added that the three systems most commonly nominated by councils for the scoping are adult social care, children’s social care and finance; and urged councils to think hard about the critical systems they should prioritise in a CAF assessment.
