What is CAF?
The National Cyber Security Centre’s Cyber Assessment Framework (CAF) is a comprehensive framework which helps Critical National Infrastructure (CNI) organisations and Operators of Essential Services (OES) demonstrate expected cyber security and resilience outcomes. These organisations all have a duty to meet legal and regulatory requirements, operating across industries including healthcare, transport, energy, and government sectors.
The CAF assesses whether these organisations meet the NCSC’s standards for performance of vital functions and are assessed in relation to the appropriate sector threats in which each organisation operates. Using 4 high-level objectives, 14 principles, and supported by Indicators of Good Practice (IGPs) to benchmark performance, organisations can identify and assess areas for improvements, strengthening their ability to manage risks and identify cyber threats. These IGPs should not be used as a checklist for performance, but rather a measurable assessment outcome for the appropriate levels of protection you should take to protect your organisation from cyber threats.
Version 4.0
The new CAF Version 4, introduced August 6th 2025, outlines a number of changes with the purpose of strengthening defences against increasing cyber threats. The new update encourages a proactive approach to addressing cyber threats and risks against critical services, making identification of these quicker and more efficient.
We have highlighted what we have considered to be the key changes below.
Principles A2.a: Risk Management and A2.b: Understanding Threat
These principles require organisations to demonstrate a deeper understanding of the capabilities, methods and motivations attackers use, to make more informed and comprehensive decisions. This includes identifying which network and information systems would have adverse effects on the essential functions of that particular organisation, including the acknowledgement and understanding of technological developments which could pose a threat to these functions if exploited by threat actors. This also requires documenting possible scenarios with preventative measures at each step to reduce the likelihood of attack. Additionally, organisations are required to maintain an updated understanding of the relevant risks for their sector and organisation and ensure decisions are made with this in mind.
Principle A4.b: Secure Software Development and Support
CAF v.4.0 has implemented stricter guidelines for the use and procurement of software systems – developed internally or sourced externally – which may contain exploitable vulnerabilities. The new expected outcome encourages organisations to have a greater understanding of their supply chain, and to fully understand and assess the security of their network and information systems, encouraging them to be more proactive in choosing suppliers.
The update requires organisations to ensure suppliers demonstrate understanding of the security of the software they provide, including third-party components, and monitor them regularly for any new vulnerabilities. This includes having detailed conversations with suppliers to ensure software uses established secure software development frameworks such as NIST SSDF and Microsoft SDL. Software must be developed with consideration of potential vulnerabilities and techniques of attack. This outcome can only be achieved if the organisation can attest to the authenticity and integrity of the software.
Principle B4.a: Secure by Design
More details surrounding the use of AI automated decision-making technologies are included in the v4.0 update. Like Principle A2.a, this update requires organisations to design and implement better restrictions against these new technologies if they are in use, to prevent actions which could have a detrimental impact on essential functions.
Principles C1: Security Monitoring and C2: Threat Hunting
Updates to the section on Security Monitoring and a new contributing outcome, Threat Hunting, has been made to improve the way that organisations use threat intelligence to manage emerging risks. Whilst previous versions of the CAF only expected organisations to monitor systems for abnormalities suggestive of malicious activity, they now expect organisations to demonstrate deeper understanding of threat hunting methodologies using risk and intelligence-led search. Organisations must show how they would use threat hunting skills, ensuring that there is an active effort to detect and respond to threats which could impact essential functions.
Why is CAF Important?
Whilst the CAF was primarily designed for CNI organisations and those required to follow the Network and Information Systems Regulations (NIS), its outcomes provide a comprehensive framework for cyber good practice which all organisations could benefit from adopting. Cyber threats and actors continue to evolve alongside technological advancements, making frameworks like the CAF crucial in mapping out progress and making clear goals for improvement. By providing a structured approach which covers multiple dimensions of cyber security, the CAF helps organisations safeguard their digital and physical assets and ensures compliance with regulations.
In today’s cyber landscape, frameworks like the CAF are essential for organisations to build resilience, keep updated with changing standards and regulations, and ensure everything is done to protect themselves from growing threats.
If you want to assess your business against the CAF, visit our Cyber Resilience Audit page to find out how we can help.
Further information about the CAF v4.0 update can be found on the NCSC website.
