Government launches cyber standard for local authorities

The Ministry of Housing, Communities and Local Government (MHCLG) has launched a Cyber Assessment Framework (CAF) for local government bodies, drawing on the National Cyber Security Centre’s (NCSC’s) existing CAF to offer tailored guidance and support to local authorities up and down the UK.

MHCLG said the new framework would set a clear cyber security standard for the sector, which experiences its fair share of cyber attacks in common with other public sector bodies. Historic attacks on local authorities, such as the Pysa ransomware hit on Hackney Council in October 2020, disrupt important local services – in Hackney’s case housing – impact residents’ daily lives, and can lead to significant costs and regulatory repercussions.

Ultimately, the enhanced CAF will enable local government bodies to assess and correct issues affecting their resilience to cyber attacks. Its core steps include identifying the critical systems relied upon within the organisation, completing self-assessments of the organisation and these systems, conducting an independent assurance review, and developing improvement and implementation plans to address vulnerabilities that could one day serve as entry points for threat actors.

Ben Cheetham, deputy director of digital at MHCLG, said the launch of the CAF represented a new focus for the department in terms of security.

“To date, MHCLG’s cyber support for councils has focused on remediating serious vulnerabilities to help improve the sector’s resilience to malware and ransomware,” he said.

“With the evolving cyber threat, it is now time to turn our attention to how we support councils to strengthen their cyber resilience for years to come.

“The CAF for local government helps organisations assess and improve their cyber security through a risk-based and holistic approach. This requires collaboration across the organisation, breaking down perceptions that cyber security is purely an IT issue,” continued Cheetham.

“This is a step-change that’s needed to protect important local government services in an ever-changing threat landscape. I would like to thank all the local authorities that have helped pilot the CAF for local government over the past couple of years and worked with us to ensure that it will be a success,” he added.

The initial two stages of the CAF – identifying systems and conducting self-assessments – are already available, with the other phases to be rolled out over the coming months as MHCLG’s local digital team works with feedback from pilots. The department said the full service is expected to become available in spring 2025.

MHCLG stressed that undertaking the framework was voluntary and could be completed in tandem with other standards, such as the NCSC’s Cyber Essentials scheme.