The potential impact of a cyber incident in a council can be devastating, as high profile attacks on Hackney and Redcar and Cleveland councils have highlighted. Not only is there the risk of a huge financial cost to respond and rebuild, cyber attacks also threaten the delivery of critical services like social care and revenues and benefits payments, with serious real-life impacts for citizens.
One of our core objectives at Local Digital is to work with councils to assess and manage the cyber risk to local government. Through past user research, we found that there are many cyber standards, but no clear baseline for local government. This makes it difficult for cyber responsible people within councils to know which improvements to prioritise, and build a convincing business case for investment.
We want to set a clear standard and expectation around cyber resilience for local authorities in England, based on the established National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF). This will guide councils to better understand their cyber posture and what steps they can take to improve it. It will also ultimately help us as a department to better understand – and act to help address - vulnerabilities across the sector.
About the Cyber Assessment Framework
The Government Cyber Security Strategy sets out an ambitious approach to building a strong foundation of organisational cyber resilience across government. This will be underpinned by the adoption of the NCSC’s Cyber Assessment Framework as a common way of assessing cyber risks, with specific CAF profiles guiding organisations as to which outcomes they should be fully or partially achieving to proportionately respond to the varying threats to their functions.
In line with the aims of the Government Cyber Security Strategy, and what we’ve learned from our previous projects, we want to understand what an appropriate CAF profile for local government looks like and how councils could use this to assess and improve their cyber resilience.
About the pilot project
We are now kicking off a pilot project with a small cohort of councils that will take place over the Autumn. We will test a Local Government CAF Profile and explore the benefits and challenges for councils of using this to assess their posture.
Pilot councils will carry out an assessment of their network with reference to the 39 CAF Outcomes and supporting Indicators of Good Practice, and review and discuss the process through one-to-one workshops with a DLUHC cyber assessor.
We will capture the experience and insights from each council and explore questions like:
- Will the same CAF Profile be appropriate for all councils in England?
- What guidance will councils need to complete it?
- Is a single assessment per council going to be useful and viable?
- What are the potential barriers and challenges to councils carrying out the assessment?
- What (if any) additional sector-specific Indicators or guidance would be beneficial for councils?
- Is the assessment a helpful way for councils to identify and prioritise cyber resilience actions? Why?
- How does the Local Government CAF align with existing frameworks used by councils?
This will build on Local Digital’s past and current work to improve cyber security in councils, including the Cyber Support team’s technical remediation and support activities, Cyber Health Framework project, and Cyber Incident Response planning.
What happens next
We’ll be sharing our findings and progress from the pilot as we go, through the DLUHC Digital blog and online events. Subscribe to our fortnightly newsletter or follow us on Twitter or LinkedIn for regular updates and to hear about upcoming events.
Once the pilot ends, we plan to continue the roll out of the CAF with councils across England. We’ll continue to iterate and develop the framework and supporting guidance, and explore what reporting and assurance models for local government could look like.
We will also consider opportunities for integration with other IT requirements across Government, to ultimately help shape a clear, sustainable approach to managing cyber risk across the sector.