Local authorities can obtain value from using the Cyber Assessment Framework (CAF) but more has to be done to increase confidence in the assessments, according to the Local Digital team in the Department for Levelling Up, Housing and Communities (DLUHC).
It has published a review of pilots run with 10 councils towards the end of last year, in which they completed a self-assessment against the CAF – developed by the National Centre for Cyber Security – in several stages, each of which was followed by workshops with Local Digital’s cyber specialists.
Local Digital said this has demonstrated that the CAF and an associated profile has the potential to act as a benchmark and tool to improve cyber security in local government.
Its key findings include that they CAF can help councils identify new ways to improve security, help them set priorities and support communication between cyber teams and senior leaders. In addition, council IT leads see the potential for the value to increase through services such as third party audits and alignment with government compliance requirements.
The draft profile, which sets a benchmark for councils to aim for, is seen as challenging but not disproportionate to the cyber risks they face.
Need for definition and confidence
But these come with caveats, among them that there is still a need to define how councils should apply the assessments and what ‘essential functions’ mean in a local government context, as this may impact the achievability of a CAF.
There is also a need to increase confidence in the assessments so councils can feel they are taking the right steps and provide evidence to other organisations regarding their maturity in cyber security.
The review identifies a number of implications for the next phase of work, including the need to research and test what kind of interventions will encourage take-up of the CAF and ensure a return on investment for councils.
Others are the need to continue to iterate some sections of the framework for local government, to ensure councils have access to guidance and to research and test ways to build it into local authorities’ assessments.
Scoping, assurance and alignment
Further work will also be done on the scope of assessments and defining essential functions, reporting and loss assurance models, cross-government alignment, and how to engage with teams in councils outside of IT.
The document also emphasises the importance of cyber security in the recently launched Future Councils pilot programme.
Local Digital stated: “This was our first step in understanding how a cyber security baseline for local government might work, as part of our wider work to support councils in England to assess and improve their cyber posture.”