With the ever-growing threat of cyberattacks on the UK government and Critical National Infrastructure cyber safety matters more than ever.
With the rising tide of ever-resent threat in mind, GovAssure was launched by the UK government in April 2023. It’s a cyber security programme that aims to ensure government IT systems are fully protected from cyberattacks.
The new cyber security scheme is run by the Cabinet Office’s Government Security Group (GSG), with input from the National Cyber Security Centre (NCSC). Under this new scheme, all central government departments will have their cyber health reviewed annually through new, more robust criteria.
At the launch of the new, more robust scheme, Government Chief Security Officer, Vincent Devine described GovAssure as a chance to gain far greater visibility of the common cyber security challenges facing government, as well as being “a powerful tool for security advocacy”, and it will empower cyber security professionals to strengthen the case for security change and investment.
GovAssure aims to review government departments (and select arm’s length bodies’), and approaches to cyber security. It is currently only designated for official systems and does not apply to secret systems or higher.
It will help develop a greater understanding of the cyber security posture and capability of government departments and arm’s length bodies. Through robust annual security audits, departments must now attest to their cyber security assurance measures as set out in the NCSC’s Cyber Assessment Framework (CAF).
CAF sets out indicators of good practice for managing security risk and protecting against cyberattacks.
The NCSC’s CAF was designed to be used by operators within Critical National Infrastructure (CNI) in relation to the Network & Information Systems (NIS) regulations, which aimed to raise cyber security levels and resilience of key systems across the EU. NIS came into force in the UK in May 2018.
GovAssure replaces existing ‘Departmental Security Health Checks’ that departments must currently provide to the Cabinet Office for review. This is a key part of the Government’s Cyber Security Strategy to improve cyber resilience and help government organisations protect themselves from growing hostile cyber threats.
GovAssure is a five-stage process:
- Organisational contact and services
- In-scope systems and assignment to the Government CAF profile
- CAF self-assessment
- Independent assurance review
- Final assessment and targeted improvement plan
The first stage of GovAssure is a scoping exercise. Here, organisations must develop a complete understanding of their strategic context and understand the cyber security threat landscape.
The scope will be defined by the essential services that the department provides, either in relation to CNI, or Operators of Essential Services (OES).
Once essential services are identified, critical systems are then identified. These may be a mix of operational and support systems for the identified essential services.
There are two Government Cyber Assessment Framework (CAF) profiles: Baseline and Enhanced. These profiles will be assigned through discussion with GSG, the NCSC and the Cabinet Office. The enhanced profile will be automatically applied to government CNI.
CAF self-assessment has four objectives: managing security risk, protecting against cyberattacks, detecting cyber security events and minimising the impact of cyber security incidents.
Departments should complete the self-assessment with input from relevant key stakeholders within the organisation. The CAF has been mapped to several industry-standard frameworks, including ISO 27001 and NIST SP 800-53.
Next, accredited third parties will perform independent reviews to verify the department’s self-assessment. This review will assess the level of attainment of the relevant CAF profile, validate the results of self-assessed findings, and determine how effective current cyber security controls are.
This assessment will evaluate CAF level attainment, by reviewing the department’s WebCAF submissions, alongside a review of any supporting documents referenced in the submission.
The third-party reviewer will also hold interviews with key stakeholders to review responses on a per objective basis. Reviews will consider the extent to which supporting indicators of good practice have been achieved, partially achieved, or not achieved.
Finally, once an independent review is completed, a final assessment report is generated and provided to the organisation by the independent assurance provider. GSG will then work with the organisation to develop a targeted improvement plan, outlining a prioritised list of areas for improvement.
This process might seem daunting or complex, but many companies can help. AMR CyberSecurity is a GovAssure Independent Assurance Reviewer, for example, which can provide the Stage 4 requirements of GovAssure to relevant organisations. Its highly skilled, qualified assurance consultants can assist organisations in carrying out the Independent Assurance Review, as well as other assurance activities in relation to cyber security.