GovAssure supports the HM Government’s National Cyber Strategy 2022, its objectives, and aims. It takes guidance from the Network & Information Systems (NIS) and NCSC’s Central Assurance Framework (CAF) and will support the GSG’s initiative to increase the UK’s cyber resilience and protect essential services, with the first key milestone in 2025. Once all critical functions have been sufficiently hardened against common vulnerabilities and attacks, the scope will increase to include all identified public sector organisations to achieve the same by 2030.
Improve overall cyber resilience
The scheme targets Operators of Essential Services, organisations working with Critical National Infrastructure, and public sector and governmental departments.
Whilst these areas will engage with and implement cyber security measures at present, GovAssure aims to standardise these measures, introducing a consistent and baseline level of security, and improve overall cyber resilience, with two key pillars in mind:
• Build a strong foundation of organisational cyber security resilience
• Defend as 'one'
These are supported by four objectives that are crucial to cyber resilience, giving clear guidance on areas of focus to the applicable organisations, namely:
• Managing cyber risk
• Protecting against cyber attack
• Detecting cyber security events
• Minimising the impact of cyber security incidents
Within these objectives, there are 14 principles that contain 39 contributing outcomes (COs).
Each department, or organisation, must be reviewed by an independent third party who is on the Cyber Security Supplier 3 (CSS3) Dynamic Purchasing System framework, and approved to provide GovAssure compliant services.
The perfect partner
Commissum Associates (Resillion) is a longstanding provider of technical assurance and cyber security services to public sector clients and is accredited to provide GovAssure standard services.
• Trusted partner: As a Cabinet Office approved supplier of GovAssure independent assessments, we ensure your GovAssure compliance is achieved first time
• In safe hands: Our vast experience working within UK Public Sector means we understand your challenges, seeing that your GovAssure assessment is fit for purpose and supportive of your organisation’s objectives
• Expert resources: Your dedicated consultant will have comprehensive GovAssure training from GSG and will provide advice and guidance you can depend on
• Efficient service: A dedicated Project Management team to create clear communication pathways so all parties have access to the right people, at the right time, to deliver your projects within budget and without delay
• On the same page: Our collaborative approach will reduce the time required for workshops and discrepancies, meaning reduced costs and time, and you can keep doing what you do best
Key objectives of the Review
Key objectives, as noted on the gov.uk website, of the Independent Assurance Review are:
- Assess the level of attainment of the target Government CAF profile that has been assigned to the system
- Validate the opinion of ‘achieved’ or ‘partially achieved’ along with the associated commentary against each CAF contributing outcome, based on the evidence provided by your organisation and the associated indicators of good practice
- Assess at a high level, how your organisation is identifying and managing its cyber risks.
- Understand the key cyber security risks related to your organisation and your in-scope critical systems
- Determine the effectiveness of current cyber security controls
- Provide a draft report covering observations and recommendations against the target government CAF profile and, following an agreement process, a final report, detailing challenges and important observations for the organisation
The GovAssure Approach
The GovAssure approach consists of five stages:
- Describe departmental context, essential services, and mission
- Identify systems within scope and alignment to the CAF Profile
- Self-assessment against the CAF
- Independent Assurance Review
- Final Assessment/Target Improvement Plan
Organisations must first perform a situational analysis, identifying any essential services, and their profile level, that are in scope for the GovAssure assessment. Once services have been identified, a CAF self-assessment must be completed for each system, aligning with the proposed criteria and defining whether objectives have either been achieved, partially achieved, or not achieved. Feel free to get in touch with Commissum if you need support with your self-assessment.
After organisations have submitted the self-assessment and are permitted by the GSG, they will proceed to the next stage – the Independent Assurance Review. This is where the self-assessment is reviewed by an objective third party, such as Commissum, to verify it.
Stages of the Independent Assurance Review
Project Initation
High Level Web CAF review
Workshop Topics Identification
Conduct Workshops
Arbitration
Report Writing
Cyber Risk Management
Keep up with the ever-changing threat landscape. Identify vulnerabilities before attackers do.