A practical guide to CAF for local government assessments

I’ve spoken to countless organisations about how overwhelming cybersecurity can feel. So, you’re not alone if you’re feeling this way.

As an IT leader in local government, you already have a lot on your plate. The added pressure of CAF for local government might seem like just another challenge to add to the list.

But here’s the good news. You don’t have to tackle it alone and it doesn’t have to be as daunting as it might first seem.

The NCSC’s Cyber Assessment Framework (CAF) provides a structured approach to improving your local gov’s cybersecurity.

But understanding the “what” is only the start. It’s the “how” that often leaves you feeling overwhelmed.

Let’s walk through the four objectives of CAF for local government. Together, we’ll tackle the challenges you’re facing and create a practical roadmap for you to start making progress today.

The goal? To help you feel less overwhelmed and more confident as you take on the journey to CAF compliance.

So, what is the Cyber Assessment Framework (CAF)?

The Cyber Asessment Framework (CAF) was created by the National Cyber Security Centre (NCSC). You might hear this being referred to as ‘pure CAF’ or ‘vanilla CAF’ as it’s the original source.

The Ministry of Housing, Communities and Local Government (MHCLG) Local Digital team took this and created an overlay called ‘CAF for local government’. Its designed to provide a clear cybersecurity standard for the sector.

Because the CAF takes a whole-organisation approach to cybersecurity, you can gain a better understanding of your council’s cyber resilience and how it compares to the targets for local government.

The CAF for local government is voluntary at the moment. However, it will most likely become mandatory in 2025 and beyond. The Government Cyber Security Strategy makes it clear that the CAF is the future, so it’s best to get ahead of game. 

The CAF for local government is designed to focus on outcomes rather than just ticking boxes. It’s about what you need to achieve, not prescribing exactly how you get there.

Here’s how the CAF is structured:

• The four high-level objectives (A-D)
  • 14 principles set the overall direction grouped under the objectives
    • 39 contributing outcomes – a detailed list that shows what “good” looks like in practice
      • Indicators of Good Practice (IGPs) – that rate each outcome as either ‘not achieved’, ‘partially achieved’, or ‘achieved’ based on the statements provided

When you assess your organisation with the CAF, you’ll evaluate each contributing outcome against the IGPs – this will help you determine where you stand against the principles and objectives. We’ll break those down a bit later on.

A quick word on CAF profiles

I must stress that you are NOT required to rate all 39 contributing outcomes as ‘achieved’ to successfully complete the CAF. That would involve a massive undertaking that would consume all of your time, energy and resources.

CAF profiles essentially tell you which outcomes need to be ‘achieved’, ‘partially achieved’ or ‘not achieved’ for your sector.

The CAF for local government profile is under development at the moment and I will update you when it’s available.

Don’t start just yet

My advice? Take time to understand the CAF and its objectives first beyond starting any form of self-assessment.

You also need to realise the scope of the assessment, define your organisational context and identify:

• Key roles and responsibilities for the assessment
• Essential services
• Critical systems

Let’s begin by exploring what CAF’s four objectives mean for you in more detail.

The four objectives of CAF. Let’s break them down

When it comes to cybersecurity, the CAF for local government is all about building resilience.

To make things a bit easier, Local Digital has split the four CAF objectives into two self-assessments groups.

• Group 1: Self assessment of your organsation (objectives A and D)
• Group 2: Self assessment of your critical systems (objectives B and C)

Think of it as a roadmap for tackling security from both an organisational level and a critical systems level.

Here’s how it breaks down.

Self assessment of your organisation

1. Managing security risk (objective A)

This is the foundation.

Managing risks starts with having the right structures, policies and processes in place to understand and address potential threats.

Ask yourself:

• Do we have clear governance for how we approach cybersecurity?
• Are we actively identifying, assessing and prioritising risks to essential systems?
• Do we understand which systems and services are critical to our operations?
• Are we managing risks introduced by external suppliers?

If this feels overwhelming, don’t worry. You don’t need to tackle everything at once. Focus on your most critical systems first, and build out from there.

2. Minimising the impact of cyber security incidents (objective D)

This one’s about being prepared.

Let’s be honest here. No system is 100% foolproof. So, the question is, how ready are you to respond if something goes wrong?

This objective is all about resilience:

• Do you have an incident response plan that covers containment, mitigation, and recovery?
• Are you learning from past incidents to make your organisation stronger?

Jon McGinty, Managing Director at Gloucester City Council explains how they managed a cyber attack in 2021. McGinty said:

Prepare as best you can to defend, protect and reduce your risk, but make sure you prepare and practice for the near certainty that this will happen to you and your organisation at some point in the future

Start small. Outline who’s responsible for what and run regular practice exercises. The goal is to be able to bounce back quickly while keeping essential services running.

Self-assessment of your critical systems

3. Protecting against cyber attacks (objective B)

Now, let’s look at your defences.

This objective asks if you have proportionate security measures in place to protect your critical systems.

Think about:

• Are there clear policies for securing systems and data?
• Is access to critical systems tightly controlled?
• Are sensitive data and critical systems protected from known threats?
• Do your networks have the resilience to stand up to an attack?
• Are staff trained and aware of their role in maintaining security?

You don’t need to have everything perfect. Every step you take strengthens your security posture.

4. Detecting cyber security events (objective C)

Finally, let’s talk detection.

It’s not just about building strong walls. It’s also about knowing when someone’s trying to climb over them.

This objective focuses on whether your organisation can detect threats effectively. You should be asking:

• Are you monitoring your systems for unusual activity?
• Do you have tools in place to proactively discover vulnerabilities or breaches?

Even basic detection capabilities can make a huge difference. The key is acting quickly before issues escalate.

Feedback from the ‘Future Councils’ CAF pilot

In September 2022, the UK government’s Local Digital team began a CAF pilot with 30 UK councils to explore how it could be used to help assess and manage cyber risks across local government .

Responding as part of the 2022 pilot , one council IT leader said:

We’re used to doing technical assessments, but this is more than that, and already it’s made us look at an area we had been ignoring.

This shows that CAF isn’t about perfection. It’s about continuous improvement. Another said:

It certainly highlighted some things that do need to be fixed and some things we’re doing alright on – it’s a good exercise!

It’s flexible enough to suit your organisation’s specific needs while giving you a clear structure to follow. However, there needs to be engagement from leaders outside of the IT team for this to be affective. As one council pointed out:

There is a base level understanding at board level, but in order to achieve certain areas of the CAF, we would need to have a wider understanding of cyber.

Setting the scope for your CAF assessment

Defining the scope for your CAF self-assessment is where things start to get real.

The challenge here? Striking the right balance between being thorough and keeping things manageable. If you scope too wide, you risk overwhelming your team. Scope too narrow, and you might miss critical vulnerabilities.

Why scoping matters in CAF for local government

Getting your scope right sets the foundation for everything else. It helps you understand your organisational context, including your mission, priorities and risk appetite.

Without a well-defined scope, your CAF assessment risks being unfocused and less effective.

How to approach scoping

1. Start with your council’s mission
   Think about what your council is here to do. Its key priorities and the services that matter most to your community. These will guide your decisions about what to include.
2. Map out your essential services
   Identify the services that your council simply cannot do without. These are the ones that directly support your priorities and ensure your council’s objectives are met.
3. Pinpoint your critical systems
   Once you’ve identified your essential services, the next step is figuring out the systems that keep them running. Use tools like the five-lens approach to prioritise which systems are critical for your assessment.
4. Document everything
   Use the CAF scoping workbook to record your decisions. This will be your single source of truth throughout the process. It’s essential for keeping everyone aligned.
5. Collaborate widely
   Scoping isn’t a job for one person. Bring in service leads, business system owners, IT and cyber security teams and other relevant stakeholders. Consider running workshops to get input from across the organisation.

The time investment

Plan to spend around 30–35 hours on this step. It’s time well spent. Proper scoping ensures you focus your efforts on the right areas later in the assessment.

Once your scoping workbook is complete, get it reviewed by your independent assurer and CAF approver. Their feedback will help you ensure nothing’s been missed and that your scope is robust.

Tip: Don’t rush this stage. A well-defined scope will make the rest of the process smoother and more focused.

Identifying your essential services for CAF

Defining your council’s essential services is one of the first steps in your CAF self-assessment.

A big challenge councils face is getting everyone on the same page. Each team has its own view of what’s “essential,” and those priorities don’t always align.

So, how do you make this work? Start by acknowledging that everyone’s perspective is valid. To move forward, you need a clear process and collaboration. Here’s how you can tackle it.

Getting everyone to agree on essentials

The housing team might say their tenant systems are essential, while IT focuses on keeping the network online. Both are right. But how do you prioritise?

Host a workshop or meeting with key stakeholders from different departments. Use this time to talk through each service’s importance and the potential impact if it were unavailable.

Frame the discussion around shared goals i.e. how the council serves residents and stays resilient.

Spotting the hidden connections

Another big hurdle is uncovering dependencies.

It’s easy to focus on the service itself and forget what it relies on. For instance, your benefits system might be critical, but it won’t function without specific IT infrastructure or third-party support.

Work with someone who knows your systems inside out. Reach out to someone like an IT architect or systems mapper. They can help you untangle these connections and show everyone the bigger picture.

A visual map of dependencies can be a game-changer here.

What you’ll get out of this

By the end of this process, you’ll have a shortlist of truly essential services that everyone agrees on. These are the ones that:

• Residents can’t do without.
• Keep people safe or meet legal obligations.
• Would cause major disruption if they failed.

Document this list and make sure everyone’s signed off on it.

This isn’t just for the CAF. It’s the foundation for protecting what really matters in your council.

Remember, it’s not about whose service is “most important.” It’s about making decisions together to protect the council’s ability to deliver for residents.

With the right tools and approach, you can make this a collaborative success.

Identifying your critical systems

After defining your essential services, the next step is identifying potential critical systems for your CAF for local government self-assessment.

Critical systems are the network and information systems that your essential services depend on. These are the systems most important to protect, as their compromise could lead to severe financial, legal, reputational or safety consequences for your organisation.

I know I mentioned this but use a framework like the Five Lens Model. It gives you an impartial way to evaluate services, so discussions don’t turn into debates.

The challenge with identifying critical systems

Identifying critical systems can feel like a minefield. Especially when faced with numerous systems and limited resources.

How do you choose which ones are truly critical? And how do you ensure the process is thorough without consuming excessive time?

How to address this challenge

By following a structured approach and collaborating effectively, you can make informed decisions without unnecessary complexity. Here’s how:

1. Identify critical systems

Start by listing systems that underpin your council’s essential services. These could include systems hosted on-premises, in the cloud or by third-party providers.

Examples of critical systems include:

• Social care systems
• Revenue and benefits systems
• Electoral systems
• Active Directory or Azure AD for authentication and access control
• Corporate systems like Microsoft Office 365

The challenge here is recognising dependencies that might not be immediately obvious. Work with technical experts and system owners to avoid overlooking anything.

2. Document critical systems

Update your CAF scoping workbook with the following details for each identified critical system:

• System name
• Essential service it supports
• Core IT infrastructure (e.g., network or cloud provider)
• Breakdown of backend systems/applications (if applicable)
• Decision on whether the system is in scope for assessment

This step requires attention to detail but a collaborative effort can lighten the load.

Consider using shared tools like Excel or project management software to keep everyone aligned.

3. Prioritise critical systems

During scoping, aim to identify and prioritise three critical systems that you may decide to take forward for self-assessment.

These should be the systems that, if disrupted, would have the most significant impact on your council’s ability to deliver essential services.

Prioritisation often sparks debate. Encourage team discussions to ensure diverse perspectives are considered.

Use criteria like impact severity and likelihood of compromise to guide decisions.

Addressing commercial and shared services challenges

Critical systems hosted externally by third-party providers or shared services can introduce complexity.

How do you ensure security measures meet your needs? Clear contracts defining responsibilities for security controls are essential.

Work closely with procurement and legal teams to verify compliance.

Next steps

After identifying and documenting critical systems, review and finalise the shortlist as a team.

Ensure all decisions are captured in your scoping workbook before submitting it for review. By working collaboratively and systematically, you can overcome challenges and ensure your council’s critical systems are accurately identified and prioritised.

Getting the right people involved

Getting the right people involved in your CAF for local government self-assessment can feel like herding cats.

Everyone is busy and some may not immediately see how their role fits into the process. That’s why it’s important to plan carefully and make collaboration as smooth as possible.

Start by defining the core roles

There are a few key roles you’ll need to fill for the CAF for local government process:

• CAF Lead: The person who takes charge of coordinating everything. Ideally, this should be someone with a good understanding of cybersecurity and local government systems. They’ll need to dedicate a significant amount of time (around 100 hours), so make sure they have the capacity to focus.
• Approver: A senior leader who can advocate for the CAF at the board level and take accountability for the final submission. This might be your CIO or Head of ICT. Their involvement (about 25 hours) is crucial for setting the right tone and priorities.
• Collaborators: Specialists from across your council who contribute their expertise. These might include service leads, system owners, IT architects and procurement or risk managers. Their time commitments will vary depending on the stage, but they’ll often provide the detailed evidence and insights you need.
• Systems Mapper: Someone with technical expertise who can map out your critical systems in detail. If you don’t have this role in-house, you might need to seek external support.
• Quality Assurer: Someone to double-check that your assessment is accurate and complete before submission. This role could be taken on by the CAF lead or a senior IT professional.

The challenges of getting everyone on board

One of the biggest hurdles in this process is making time for people who are already juggling other responsibilities.

It’s not just about asking for their help. It’s about making it as easy as possible for them to contribute.

Here are some common challenges you might face:

• Limited Availability: People are busy, and finding time for workshops or meetings can be tricky.
• Unclear Roles: Without clear expectations, team members might not know what they’re supposed to do.
• Competing Priorities: Some collaborators might not see the CAF for local government as a priority compared to their other work.

Solutions for better collaboration

To stay on track with your team, start by planning ahead.

Once you know who you need, check their availability and book meetings or workshops early. Make sure everyone understands how their role supports the bigger goal. When they see the value, they’ll engage more.

Break the process into manageable steps, starting with a scoping session to agree on priorities and assign clear follow-up actions.

Use collaboration tools like Teams or Slack to keep communication easy and transparent.

Lastly, keep in touch regularly with quick check-ins, whether through email or a short call. This should help you spot any blockers early and keep things moving smoothly.

Navigating time pressures

Let’s talk about the elephant in the room: time.

Completing the CAF for local government is a big commitment. It could take around 220 hours to complete. If you’re like most councils, you’re already juggling a mountain of competing priorities. Time is tight, but here’s the good news: it’s doable, especially if you know where the pitfalls are and how to avoid them.

Finding time when there’s none to spare

Balancing day-to-day operations with a detailed assessment process isn’t easy.

You’re looking at anywhere from 45 to 60 hours for some stages. Not counting the time it takes to coordinate meetings, chase down information or handle last-minute surprises. Here’s an example CAF schedule you can use to map out timings and activities that can be done simultaneously.

For councils with smaller teams or stretched resources, that can feel overwhelming.

And let’s not forget the added complexity if you have limited access to key stakeholders. Getting everyone in the same room (or even on the same Teams call) can be an uphill battle.

Plan, prioritise and stay flexible

Here’s how you can take the pressure off:

1. Break it down

Instead of treating the CAF for local government as one massive task, divide it into smaller, manageable stages. Focus on the tasks you can complete now, like preparing for the CAF and setting the scope. Save more time-intensive tasks, like mapping critical systems, for later when additional guidance becomes available.

2. Make use of downtime

Use quiet periods in your council’s schedule to tackle bigger chunks of work. For example, align your efforts with times when major projects or audits are wrapping up.

3. Prioritise collaboration early

The quicker you can identify your key players and book collaboration sessions, the smoother the process will be. Scheduling recurring check-ins or progress updates can also help you stay on track without scrambling for time later.

4. Stay realistic about timelines

If you’re stretched thin, be honest about what’s achievable. It’s better to do fewer stages thoroughly than rush through and miss critical details. The CAF for local government is designed to be flexible. Use that to your advantage.

Addressing the pressure points

What if a stage is taking longer than expected?

Don’t panic. Break the stage into even smaller tasks and focus on clearing bottlenecks one by one. For example, if mapping systems feels like it’s dragging, assign subtasks like gathering data or creating diagrams to specific team members.

What if you’re falling behind schedule?

Reassess your priorities and adjust where needed. Consider shifting non-urgent council tasks or seeking temporary support – whether that’s internal reallocations or external expertise.

Remember the bigger picture

Yes, the CAF takes time, but think of it as an investment in your council’s resilience.

The effort you put in now could prevent far greater disruptions down the line. Start by tackling what you can with the resources available and keep communicating with your team about progress and roadblocks.

Remember, it’s not about completing everything perfectly in one go. It’s about building a strong foundation, one step at a time.

What’s next?

The CAF for local government is designed to be flexible and outcomes-focused.

By breaking it into two self-assessments, one for your organisation, the other for your critical systems, you can involve the right collaborators and focus your efforts where they’ll have the biggest impact.

Take it step by step. Remember to:

1. Start with the basics.
2. Assess your gaps.
3. Prioritise your critical systems.

Remember, this isn’t about perfection.

It’s about progress. With a solid plan and consistent effort, you’ll build a stronger, more resilient organisation.