How the DSPT is changing

In September 2024 the DSPT changed to adopt the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its basis for cyber security and IG assurance. 

This change will lead to NHS Trusts, CSUs, ALBs and ICBs seeing a different interface when they log in, which sets out CAF-aligned requirements in terms of Objectives, Principles and Outcomes. Other organisations will retain the current interface and will continue to respond to a list of prescriptive controls, which will be mapped nationally ‘in the background’ against a CAF profile.

Expectations for cyber security and IG controls should remain at a reasonably comparable level to the current DSPT, tightening only in areas where NHSE and DHSC believe the higher standard to be a necessary obligation.

Guidance has been be produced, and webinars have been held to help organisations understand the content, approach and expectations of the CAF-aligned DSPT.

Why the DSPT is changing

In 2023 the health and care cyber security strategy committed to adopt the CAF as the principal cyber standard.   We believe this will:

- Emphasise good decision-making over compliance, with better understanding and ownership of information risks at the local organisation level, where those risks can most effectively be managed.

- Support a culture of evaluation and improvement, as organisations will need to understand the effectiveness of their practices at meeting the desired outcomes – and expend effort on what works, not what ticks a compliance box.

- Create opportunities for better practice, by prompting and enabling organisations to remain current with new security measures to meet new threats and risks.

NHS Trusts, CSUs, ALBs and ICBs will see a different interface when they log in. The DSPT will be split into a number of contributing outcomes, each of which are supported by indicators of good practice grouped into levels of achievement – ‘Not Achieved’, ‘Partially Achieved’ or ‘Achieved’.

We have developed a health and care CAF overlay that amends some CAF terminology and extends the 39 contributing outcomes of the CAF with a further 8 contributing outcomes in a custom section on ‘using and sharing information appropriately’, to ensure that data protection, confidentiality, and other information governance disciplines such as clinical coding are covered.  The ‘health and care CAF’ presented in the DSPT will therefore consist of 47 contributing outcomes.

Organisations will self-assess their level of compliance against each outcome using the indicators of good practice as a guide.  The process of submitting assessments to NHS England will not change.  National assurance will continue to be based on organisations commissioning independent audits of their self-assessments, complemented by national sampling audits.

The indicators of good practice are not prescriptive, and in most cases, organisations will have flexibility to determine how to meet each outcome.  For a small number of outcomes, where we deem the national risk to be too great to permit that flexibility, we will constrain organisations by issuing directive national policy that requires them to take (or not to take) certain approaches as part of that outcome – the multi-factor authentication policy is the first to be published.  These directive policies will be integrated into the DSPT at its launch each year.

The CAF is not designed with an expectation that organisations should (ever) reach ‘Achieved’ on all outcomes.  Instead, within the DSPT we will set a minimum achievement level for each outcome, which collectively over all outcomes is known as a CAF profile.  For many outcomes a level of ‘Partially Achieved’ is proportionate, and in some cases ‘Not Achieved’ may be appropriate (for example – some CAF outcomes represent capabilities only normally held by organisations with very high cyber security maturity and resources).

CAF profiles will vary for different types of organisations, similar to how current DSPT requirements are varied for different types of organisations.   We will establish proportionate minimum achievement levels based on the capabilities of a particular organisation type, on the threat they face, and through consultation.  Each organisation would need to achieve the relevant CAF profile in order to be graded ‘Standards Met’ on the DSPT.

CAF profiles can also be made progressively more stringent over time.  One of the benefits of adopting the CAF is that the framework will remain effectively constant for many years, with only the minimum achievement level varying from year to year – so we will be able to forecast future expectations much further in advance, enabling organisations to plan better.

The 24-25 CAF profile for most in-scope organisations has been drafted by mapping current DSPT requirements against the CAF to produce a ‘legacy profile’, and then raising some outcome levels above the legacy profile – partly to ensure that the expectation is at least as stringent as the current DSPT.  We are currently engaging frontline organisations to seek their views on the proposed profile.

It is expected that the DSPT will continue providing a more prescriptive controls-based approach for smaller organisations, although (and not before 2025) these controls will be derived from a CAF profile designed for the particular organisation type.

This will give us a standard framework across health and care, consistent with other sectors, and the ability to scale and adapt expectations over time based on changing threat and capabilities.

A joint statement between NHS England and the National Data Guardian about the evolution of the DSPT has been published  https://transform.england.nhs.uk/information-governance/caf-aligned-dspt-evolution-of-our-assurance-model/.

What help and support is available?

Guidance
New guidance has been developed to support organisations to complete the new CAF-aligned requirements and is available here:
https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/2024-25-caf-aligned-dspt-guidance

A link to guidance on scoping your DSPT is available: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/2024-25-caf-aligned-dspt-guidance/overview/scoping-essential-functions

We have attached a version of the outcomes, FAQs and indicators of good practice and a DSPT Mapping document for NHS Trusts, CSUs, ALBs and ICBs who do not hold Critical National Infrastructure those organisations know who they are. 

Webinars
A series of webinars have been held throughout the summer on the new CAF-aligned toolkit and webinar recordings and slides can be accessed here: https://www.dsptoolkit.nhs.uk/News/Webinar-Slides 
Further webinars are planned from September. For further details please see: News (dsptoolkit.nhs.uk). 

Additional Information

DSPT Audit
Organisations are required to have an independent audit assessment and a  
CAF-aligned DSPT audit framework is under development, with the summary guidance now available. 
Watch out for further information on the DSPT News page 

Interim(Baseline) publication
An interim/baseline publication will be required by 31 December 2024. More information will be available on the DSPT News page

Deadline
The deadline for publishing your 24-25 DSPT is 30 June 2025.

Improvement plans 
If your organisation’s status for your 2023-24 (v6) DSPT publication is ‘Approaching Standards’ or ‘Standards Not Met’ you should submit an updated improvement plan to cybersecurity@nhs.net  by Monday 30 September 2024. 
For further information about the improvement plan process, visit the DSPT news page: https://www.dsptoolkit.nhs.uk/News/improvement-plans  

If you have questions or require help with your assessment, please email exeter.helpdesk@nhs.net

Thanks

DSPT Team