The Department of Levelling Up, Housing, and Communities has announced that, alongside the Government Cyber Security Strategy, there is to be an assessment into the standards and expectations around cyber resilience at local authority level. A pilot was also announced that will see a small number of councils testing a Local Government Cyber Assessment Framework.
Referencing the ‘high-profile’ cyber attacks on councils in Hackney and Redcar and Cleveland, the announcement highlights how the frameworks do not necessarily outline basic requirements for local government cyber security.
In the statement, the Local Digital team said:
“One of our core objectives at Local Digital is to work with councils to assess and manage the cyber risk to local government. Through past user research, we found that there are many cyber standards, nut no clear baseline for local government. This makes it difficult for cyber responsible people within councils to know which improvements to prioritise and build a convincing business case for investment.
“We want to set a clear standard and expectation around cyber resilience for local authorities in England, based on the established National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF). This will guide councils to better understand their cyber posture and what steps they can take to improve it. It will also ultimately help us as a department to better understand – And act to help address – vulnerabilities across the sector.”
The pilot project will explore the benefits and challenges of using a Cyber Assessment Framework to assess their cyber security posture. The councils involved will reference the 39 CAF outcomes, as well as the supporting Indicators of Good Practice, so that they can review and discuss the process. This will be done by way of one-to-one workshops with a cyber assessor from the Department of Levelling Up, Housing, and Communities.
Questions that will be explored in the pilot include:
- Will the same CAF Profile be appropriate for all councils in England?
- What guidance will councils need to complete it?
- Is a single assessment per council going to be useful and viable?
- What are the potential barriers and challenges to councils carrying out the assessment?
- What (if any) additional sector-specific indicators or guidance would be beneficial for councils?
- Is the assessment a helpful way for councils to identify and prioritise cyber resilience actions? Why?
- How does the Local Government CAF align with existing frameworks used by councils?
The findings from the pilot will be shared, with the continued rollout of the CAF to councils across England getting underway at the conclusion of the pilot.