How the DSPT is changing

In September 2024 the DSPT will be changing to adopt the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its basis for cyber security and IG assurance.

This change will lead to NHS Trusts, CSUs, ALBs and ICBs seeing a different interface when they log in, which sets out CAF-aligned requirements in terms of Objectives, Principles and Outcomes. Other organisations will retain the current interface and will continue to respond to a list of prescriptive controls, which will be mapped nationally ‘in the background’ against a CAF profile.

Expectations for cyber security and IG controls should remain at a reasonably comparable level to the current DSPT, tightening only in areas where NHSE and DHSC believe the higher standard to be a necessary obligation.

Guidance will be produced, and webinars will be arranged to help organisations understand the content, approach and expectations of the CAF-aligned DSPT.

 

Why the DSPT is changing

In 2023 the health and care cyber security strategy committed to adopt the CAF as the principal cyber standard.   We believe this will:

- Emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level, where those risks can most effectively be managed.

- Support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box.

- Create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks.

NHS Trusts, CSUs, ALBs and ICBs will see a different interface when they log in. The DSPT will be split into a number of contributing outcomes, each of which are supported by indicators of good practice grouped into levels of achievement – ‘Not Achieved’, ‘Partially Achieved’ or ‘Achieved’.

We have developed a health and care CAF overlay that amends some CAF terminology and extends the 39 contributing outcomes of the CAF with a further 8 contributing outcomes in a custom section on ‘using and sharing information appropriately’, to ensure that data protection, confidentiality, and other information governance disciplines such as clinical coding are covered.  The ‘health and care CAF’ presented in the DSPT will therefore consist of 47 contributing outcomes.

Organisations will self-assess their level of compliance against each outcome using the indicators of good practice as a guide.  The process of submitting assessments to NHS England will not change.  National assurance will continue to be based on organisations commissioning independent audits of their self-assessments, complemented by national sampling audits.

The indicators of good practice are not prescriptive, and in most cases, organisations will have flexibility to determine how to meet each outcome.  For a small number of outcomes, where we deem the national risk to be too great to permit that flexibility, we will constrain organisations by issuing directive national policy that requires them to take (or not to take) certain approaches as part of that outcome – the multi-factor authentication policy is the first to be published.  These directive policies will be integrated into the DSPT at its launch each year.

The CAF is not designed with an expectation that organisations should (ever) reach ‘Achieved’ on all outcomes.  Instead, within the DSPT we will set a minimum achievement level for each outcome, which collectively over all outcomes is known as a CAF profile.  For many outcomes a level of ‘Partially Achieved’ is proportionate, and in some cases ‘Not Achieved’ may be appropriate (for example – some CAF outcomes represent capabilities only normally held by organisations with very high cyber security maturity and resources).

CAF profiles will vary for different types of organisations, similar to how current DSPT requirements are varied for different types of organisations.   We will establish proportionate minimum achievement levels based on the capabilities of a particular organisation type, on the threat they face, and through consultation.  Each organisation would need to achieve the relevant CAF profile in order to be graded ‘Standards Met’ on the DSPT.

CAF profiles can also be made progressively more stringent over time.  One of the benefits of adopting the CAF is that the framework will remain effectively constant for many years, with only the minimum achievement level varying from year to year – so we will be able to forecast future expectations much further in advance, enabling organisations to plan better.

The 24-25 CAF profile for most in-scope organisations has been drafted by mapping current DSPT requirements against the CAF to produce a ‘legacy profile’, and then raising some outcome levels above the legacy profile – partly to ensure that the expectation is at least as stringent as the current DSPT.  We are currently engaging frontline organisations to seek their views on the proposed profile.

It is expected that the DSPT will continue providing a more prescriptive controls-based approach for smaller organisations, although (and not before 2025) these controls will be derived from a CAF profile designed for the particular organisation type.

This will give us a standard framework across health and care, consistent with other sectors, and the ability to scale and adapt expectations over time based on changing threat and capabilities.

 

How can I get involved?

If you are a member of the Cyber Associates Network (CAN) you can attend the DSPT Update as part of the Virtual CAN Conference. For further details about joining the CAN.

Attend a DSPT Webinar

Be a part of the User research for the DSPT. Email cybersecurity@nhs.net 

Keep up to date with updates on the DSPT News page and CAN (members only).

Thanks

DSPT Team