In recent months, a select group of UK local authorities have been piloting the Cyber Assessment Framework (CAF) for Local Government, providing valuable insights into how this NCSC-developed tool can strengthen cyber resilience across the public sector. Local Digital at MHCLG conducted a selection of interviews with two participating councils—Norfolk County Council and Maldon District Council—through this we can see how organisations of vastly different sizes are experiencing similar transformative benefits from implementing the framework.
Council Experiences
Watch the interviews with Norfolk County Council and Maldon District Council to learn about their experiences implementing the CAF.
Council Videos
Norfolk County Council
Norfolk County Council shares their experience with the Cyber Assessment Framework
Broadening the Scope of Cyber Assurance
Both councils emphasised that the CAF goes significantly beyond existing security frameworks like PSN compliance checks or Cyber Essentials. Kurt Fraser, Head of IT at Norfolk County Council, highlighted that while previous frameworks focused primarily on technical elements like patching and device security, the CAF expands coverage to crucial areas that were previously overlooked:
"The advantage I think we found with CAF on our journey is that it covers much, much more than that. Two massive areas for us that no other security framework has covered have been things like risk governance and disaster recovery and business continuity."
This comprehensive approach has allowed councils to identify and address gaps in their security posture that might otherwise have remained invisible.
Enabling Organisational Ownership of Cyber Risk
Perhaps the most striking outcome reported by both councils was the cultural shift that the CAF implementation triggered. Maldon District Council's IT Manager described what can only be called a complete organisational transformation:
"The CAF has spurred on almost a complete transformation within Maldon District Council of how IT is seen. We've gone from a structure of IT being completely siloed... to departmental managers now taking on contract management. That is unheard of, at least in Maldon."
This shift in ownership has had tangible benefits for both IT teams and the wider organisation:
- Department managers now take responsibility for their systems
- Better visibility of updates, cyber security and new technology
- Improved resource utilisation for IT teams
- More controlled workflows and systematic review processes
System Mapping for Operational Clarity
A fundamental step in the CAF process is identifying and mapping systems across the organisation. For Maldon District Council—one of the smallest in Essex—this exercise revealed they were operating 188 distinct systems, many of which department managers weren't fully aware of before the CAF implementation.
Through workshops and mapping exercises, both councils gained unprecedented insight into system dependencies and critical functions. The Maldon IT Manager noted:
"What CAF has allowed is those managers to actually take on the responsibility of their system. We've never had that, literally never had that."
This improved understanding has directly enhanced disaster recovery planning and business continuity arrangements, with clear mappings of how failures in one system might impact others.
Securing Executive Engagement
Both councils stressed the importance of senior management engagement in their CAF journey. The tools and templates provided through the CAF process helped IT teams communicate the scope and importance of cyber security to leadership teams.
"The CAF has given us the ability to track, monitor and actually review our systems at almost an audit level with the buy-in of our Senior Management. That has been so critical to our cyber security because 99% of the time it's the Senior Management that are under attack."
Norfolk County Council saw similar benefits, with Andy Amri noting:
"It's raised the profile of cyber within the authority, not just for the directors, but of course they then cascade it down to their teams, and all of a sudden you get engagement from management level right across the board."
Developing a More Nuanced Risk Posture
An intriguing outcome reported by Maldon District Council was how the CAF process changed attitudes toward risk within the organisation. Previously, some managers were described as "completely risk averse," with system upgrades taking up to two years due to concerns about downtime and change.
After going through the CAF process and better understanding their systems, managers felt their overall risk had decreased. With improved visibility into system dependencies and security posture, leaders could make more informed decisions about changes and upgrades.
Achieving Scalable Outcomes Across Council Sizes
What's particularly noteworthy is how councils of vastly different sizes reported similar positive outcomes. Norfolk County Council is a large county authority with substantial resources, while Maldon describes itself as "probably one of the smallest" in Essex, possibly in the UK.
Despite this disparity in scale, both experienced comparable benefits from implementing the CAF. As Maldon's IT Manager put it:
"You can't go by the size of your council, you can't go by the type of council... you still could get ransomware, you still could have significant cyber attack, denial of service attack stopping your services."
Practicality vs. Other Frameworks
Both councils positioned the CAF as a practical middle ground between lighter-touch frameworks like Cyber Essentials and more intensive standards like ISO 27001.
"CAF takes that information and almost puts it on steroids,"
said Maldon's IT Manager when comparing it to Cyber Essentials and PSN checks. While acknowledging that implementing the CAF involves significant work, he contrasted it favourably with ISO certification:
"ISO 27001 or 27002... they take three years to achieve. CAF has work behind it but does not take three years to achieve, and it gives you that reassurance."
The CAF provides a middle ground between light-touch frameworks and comprehensive standards
Recommendations for Other Councils
Based on their experiences, both councils strongly recommended the CAF to other local authorities. Their advice included:
- Engage early: Understand the commitment required and the scope of work
- Spread the net wide: Identify all stakeholders who need to be involved
- Review roles and responsibilities: Understanding the CAF roles structure is crucial
- Use the templates: The resources provided on the CAF website were highlighted as extremely valuable
- Focus on communication: Use the CAF to facilitate proactive discussions with senior leadership
Preparing for Wider Adoption
As the Department for Levelling Up, Housing and Communities (DLUHC) prepares to roll out the framework with councils across England, these early experiences provide valuable insight into the potential benefits and challenges.
For both Norfolk and Maldon, the investment in implementing the CAF has delivered returns that extend far beyond compliance—creating more resilient organisations with clearer understanding of their systems, risks, and responsibilities.
"We are in a much better cyber stance, we feel our risk has gone down because of the CAF process,"
concluded Maldon's IT Manager. For councils looking to strengthen their cyber security posture, the message from these early adopters is clear: the effort invested in the CAF process delivers substantial, organisation-wide benefits.
How CNIC Can Help
At CNIC, we understand the complexities of implementing the Cyber Assessment Framework for local authorities. Our specialised platform streamlines CAF assessments, evidence collection, and reporting, helping councils of all sizes achieve cyber resilience efficiently.
Contact us today to learn how we can support your council's CAF implementation journey.
Request a Demo