PSR Public Sector Cyber Guidance: What Local Authorities Must Evidence
In 2022, the Local Government Association found that 68% of UK councils had experienced a cyber incident. The government's public sector cyber guidance — reinforced by the NCSC Cyber Assessment Framework — sets out what local authorities are expected to have in place. Councils that cannot demonstrate proportionate controls face both regulatory exposure and significant reputational risk when incidents occur.
68% of UK councils experienced a cyber incident in 2022 — LGA survey.
What the Public Sector Cyber Guidance Requires
The UK government's cross-government cyber security strategy and associated NCSC guidance establishes expectations for all public sector bodies, including local authorities. Key requirements include:
- A documented information security policy approved by senior leadership
- Board-level accountability for cyber risk, with regular reporting
- Implementation of the NCSC Cyber Assessment Framework (CAF) baseline
- Incident response and recovery plans, tested at least annually
- Supply chain security assessments for critical technology suppliers
- Staff cyber awareness training at induction and annually thereafter
NCSC Cyber Assessment Framework for Local Government
The NCSC CAF provides a structured framework for councils to assess their cyber resilience across four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising impact. The NCSC has found that 40% of councils failed to meet the CAF baseline in recent assessments — a finding that regulators and auditors are increasingly aware of.
Local Government Cyber Obligations Under PSCSF
The Public Sector Cyber Security Framework (PSCSF) aligns with the CAF and sets out minimum standards for councils receiving government funding. Local authorities must demonstrate active governance, asset management, vulnerability management, and incident reporting capabilities. Failure to evidence these controls can affect funding eligibility and trigger Local Government Ombudsman scrutiny following a breach.
Practical Steps to Demonstrate Compliance
Based on NCSC CAF expectations, local authorities should maintain evidence of:
- A current cyber risk register reviewed by the Senior Information Risk Owner (SIRO)
- MFA deployed on all remote access, email, and administrative systems
- Patching programme with critical vulnerabilities remediated within 14 days
- Immutable backups with tested recovery procedures
- Annual cyber incident tabletop exercise with elected members involved
- Supplier due diligence records for all critical technology vendors
How Kyanite Blue Helps Councils Meet PSR Expectations
Coro provides endpoint protection and email security that generate the audit trail NCSC assessors and internal auditors expect. Hadrian identifies exposed council systems before attackers do. Panorays automates third-party risk assessments for technology suppliers. For councils that need to demonstrate proportionate, documented controls without building a large in-house security team, Kyanite Blue backed by Collective IP's managed service delivers the defensible compliance posture required.
Frequently Asked Questions
Is the NCSC CAF mandatory for local authorities?
The CAF is not currently mandatory by statute for all local authorities, but it is the framework against which NCSC and government assess public sector cyber resilience. Councils that are Operators of Essential Services under NIS Regulations face binding obligations. For all others, CAF alignment is strongly expected and increasingly referenced in Local Government Association guidance and audit frameworks.
What happens if a council fails a NCSC CAF assessment?
Councils that fail CAF baseline assessments receive improvement recommendations from the NCSC. These findings can be shared with DLUHC and may trigger enhanced scrutiny. Following a cyber incident, failure to have met CAF baseline expectations will be a significant factor in any ICO investigation, Ombudsman review, or public inquiry.
Does Cyber Essentials satisfy the PSR public sector guidance?
Cyber Essentials satisfies the technical baseline controls expected under public sector guidance — MFA, patching, firewall configuration, access controls, malware protection. However, the NCSC CAF goes further, requiring governance, supply chain management, incident response, and detection capabilities that Cyber Essentials does not cover. Councils should treat Cyber Essentials as a foundation, not a ceiling.
Get a free CAF gap assessment for your council
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.