The UK cyber assessment framework helps organizations measure their resilience against defined outcomes, ensuring that risks are not only identified but effectively managed. CAF v4.0 builds on this approach with clearer guidance, higher expectations, and stronger emphasis on areas such as software assurance, supply chain oversight, and continuous monitoring.
Why CAF v4.0 Matters Now
The UK’s critical national infrastructure (CNI) is under constant pressure from ransomware groups, hostile nation-states, and cybercriminals seeking disruption or financial gain. To strengthen resilience across essential services, the National Cyber Security Centre (NCSC) has released version 4.0 of the UK Cyber Assessment Framework (CAF). (Cyber Assessment Framework v4.0 Released in Response to Growing Threat, n.d.)
Far from being a checklist exercise, the framework acts as a roadmap to improve accountability, protect critical services, and give boards and regulators confidence in cyber risk management. This article explores what has changed in CAF v4.0, who will be most affected, and the steps organizations can take to align quickly and effectively.
CAF in a Nutshell — What is the UK Cyber Assessment Framework
The UK Cyber Assessment Framework (CAF) is the NCSC’s structured method for assessing and improving cyber resilience across critical services. Introduced in 2018, it is designed to help organizations demonstrate how well they can withstand and recover from cyber threats, particularly those affecting essential infrastructure.
At its core, the CAF is outcomes-based. Instead of prescribing specific technical controls, it focuses on whether an organization can achieve the security outcomes required to deliver essential functions safely and reliably. This flexibility makes it applicable across multiple sectors, from energy and transport to healthcare and finance.
CAF’s Core Outcomes & Structure
The framework is built on four high-level objectives, broken down into 14 principles, each supported by detailed Indicators of Good Practice (IGPs).
Objective A: Managing Security Risk
Covers governance, risk management, asset management, and supply chain assurance.
Objective B: Protecting Against Cyber Attack
Focuses on secure system design, vulnerability management, and data protection
Objective C: Detecting Cyber Security Events
Addresses monitoring, detection, and incident response readiness.
Objective D: Minimizing the Impact of Cyber Security Incidents
Ensures resilience through recovery planning, continuity, and lessons learned.
These objectives give organizations a comprehensive view of cyber maturity, from governance at the board level to technical detection capabilities within SOC teams.
What’s New in CAF v4.0
Since its introduction, the UK cyber assessment framework has been regularly refined, but CAF v4.0 marks its most substantial update. Released in August 2025, this version responds directly to the rising complexity of cyber threats and the evolving expectations of regulators.
The update introduces clearer guidance, refined thresholds, and stronger requirements in key areas such as software security, supply chain oversight, and proactive threat detection. Organizations will find a sharper focus on evidence, moving away from broad statements of compliance and toward verifiable proof of resilience.
Key Enhancements in CAF v4.0
- Structured Threat Understanding – Organizations must show how they analyze and model attacker methods, rather than relying on general intelligence.
- Software Development & Assurance – Secure design, code review, and use of software bills of materials (SBOMs) are emphasized.
- Monitoring & Threat Hunting – Proactive detection and hunt capabilities are now expected alongside traditional logging and alerts.
- Supply Chain Assurance – Vendors must provide evidence of meeting outcomes, not just self-attestations.
- Emerging Technology Risks – CAF now integrates considerations for AI and other disruptive technologies.
Comparison: CAF v3.x vs CAF v4.0
| Area | CAF v3.x Baseline | CAF v4.0 Enhancement | Impact on Organizations |
| Threat Understanding | General use of threat intelligence | Structured threat modeling and analysis | Better prioritization of risks |
| Software Assurance | Recommended secure practices | Secure SDLC, SBOM adoption, patch management | Reduced exposure to known vulnerabilities |
| Detection & Response | Monitoring and incident response plans | Proactive detection engineering and threat hunting | Faster identification and recovery |
| Supply Chain Assurance | Vendor due diligence | Continuous monitoring, evidence-based assurance | Stronger third-party risk management |
| Governance & Risk | Periodic risk reviews | Outcomes-driven, evidence-backed governance reporting | More informed board-level oversight |
CAF v4.0 does not abandon the outcomes-based approach. Instead, it reinforces the expectation that organizations can prove they are achieving these outcomes consistently and effectively.
Who Is Impacted — Sectors & Stakeholders
The release of CAF v4.0 affects a broad spectrum of organizations across the UK. While its primary audience is operators of essential services (OES) designated under the NIS Regulations, its reach extends beyond core critical infrastructure.
Sectors directly impacted include:
- Energy and Utilities – electricity, oil, gas, and water services
- Transport – aviation, maritime, and rail operators
- Healthcare – hospitals, NHS trusts, and digital health platforms
- Telecommunications – network operators and service providers
- Public Sector – central government, local authorities, and defense-related services
These entities are expected to demonstrate resilience not only internally but also throughout their supply chains.
Stakeholders Who Must Take Action
CAF v4.0 places responsibility across multiple roles:
- CISOs and Risk Leaders – accountable for aligning programs with CAF outcomes.
- OT Security Managers – ensuring resilience in operational technology environments.
- Procurement and Vendor Risk Teams – collecting and validating supplier evidence.
- Board Members – responsible for understanding and overseeing cyber resilience.
- Security Operations Teams (SOCs) – adapting monitoring and threat hunting to meet new standards.
Why Supply Chain Programs Must Evolve
Under CAF v4.0, third-party assurance moves from self-attestation to evidence-backed oversight. Vendors and service providers must now demonstrate compliance with CAF outcomes, often requiring:
- Tiering suppliers by criticality
- Defining baseline security outcomes per tier
- Requesting verifiable proof (e.g., SBOMs, test results, scan reports)
- Continuously monitoring suppliers for emerging risks
For many organizations, this represents a significant shift in vendor management: moving from reactive checks to proactive, ongoing assurance.
Governance & Risk — Elevating Assurance with CAF v4.0
Governance and risk management sit at the heart of the UK cyber assessment framework. With v4.0, the NCSC places greater emphasis on evidence-backed decision making, requiring boards and executives to demonstrate not only awareness but accountability.
Organizations are now expected to integrate threat intelligence, business impact, and likelihood modeling into their risk assessments. This shift ensures that cyber risk is treated as a business risk, with decisions grounded in measurable outcomes rather than generic heatmaps.
Raising the Bar for Board Accountability
CAF v4.0 calls for leadership to have direct visibility of:
- Evidence libraries showing policies, test results, and remediation proof
- Key risk indicators (KRIs), such as mean time to detect/respond (MTTD/MTTR)
- Supply chain dependencies and vendor risk status
- Progress against CAF objectives using structured maturity levels
By embedding these practices, boards can demonstrate compliance with regulators and gain confidence that cyber risks are actively managed.
Secure Software & Product Assurance
One of the most notable updates in CAF v4.0 is the expanded emphasis on secure software development and product assurance. The framework now requires organizations to demonstrate that software used to deliver critical services is built, maintained, and procured with security embedded at every stage.
This shift reflects the growing exploitation of software supply chains, where vulnerabilities in dependencies or build pipelines can create systemic risks across entire sectors.
Expectations for the Software Development Lifecycle (SDLC)
CAF v4.0 aligns with modern software assurance practices by requiring:
- Secure design reviews before development begins
- Code analysis and peer reviews for critical applications
- SBOM (Software Bill of Materials) to track dependencies and vulnerabilities
- Patch management processes with clear timelines for remediation
- Artifact signing and provenance tracking in CI/CD pipelines
Procurement & Third-Party Software
Organizations are now expected to extend these requirements to vendors and third-party providers. This means:
- Including software security clauses in procurement contracts
- Requesting SBOMs from suppliers for critical applications
- Defining vulnerability remediation service-level agreements (SLAs)
- Evaluating build integrity as part of due diligence
Monitoring, Detection & Response
CAF v4.0 significantly raises expectations around security monitoring and incident response. Traditional logging and alerting are no longer sufficient, organizations must now show they can actively detect, investigate, and respond to advanced threats in real time.
This update reflects the growing need for proactive defense, where resilience depends not just on identifying incidents but on anticipating and hunting for them.
Supply Chain & Third-Party Risk Management Under CAF v4.0
One of the most impactful changes in CAF v4.0 is the stronger focus on supply chain resilience. Cyber incidents increasingly exploit weaknesses in third-party providers, and the framework now requires organizations to evidence that vendors and contractors can meet the same resilience standards as internal teams.
This means moving beyond static questionnaires and self-attestations. CAF v4.0 expects continuous assurance supported by evidence, tiered vendor management, and proactive monitoring.
What Organizations Must Do
- Tier Vendors by Criticality – Prioritize oversight for suppliers whose failure could disrupt essential services.
- Set Baseline Security Outcomes – Define minimum expectations for each tier, aligned to CAF outcomes.
- Collect Verifiable Evidence – Request SBOMs, penetration test results, vulnerability reports, and remediation timelines.
- Use Continuous Monitoring – Leverage external attack surface tools and intelligence feeds to spot changes in vendor risk posture.
Suggested Vendor Tiering Model
| Tier | Description | Requirements |
| Tier 1 | Critical suppliers directly affecting CNI | Full CAF-aligned evidence pack, monthly monitoring |
| Tier 2 | High-impact suppliers with significant access | Quarterly evidence, validated remediation reports |
| Tier 3 | Standard vendors with limited exposure | Annual attestation, exception-based investigations |
Why This Matters
By requiring evidence-based assurance, CAF v4.0 reduces the risk of cascading failures from third-party compromises. For organizations, it creates a structured way to demonstrate control over vendor risks; something regulators and boards now expect as part of a mature cyber resilience program.
Mapping CAF v4.0 to Other Standards
Most organizations do not operate under a single framework. CAF v4.0 is designed to be sector-agnostic, but many entities must also comply with regulations such as NIS2, DORA, or ISO/IEC 27001. Mapping CAF outcomes to these frameworks helps streamline compliance and reduces duplication of effort.
Alignment Highlights
- NIS2 (EU): Both CAF and NIS2 emphasize governance, incident reporting, and supply chain oversight. CAF v4.0’s outcome-based structure can help demonstrate NIS2 compliance in regulated sectors.
- DORA (Financial Services): DORA focuses on ICT risk management and operational resilience. CAF’s outcomes on monitoring, testing, and third-party assurance align closely with these requirements.
- ISO/IEC 27001: CAF outcomes can be mapped to ISO controls, allowing organizations already certified to ISO 27001 to use existing evidence for CAF readiness.
Quick Crosswalk Example
| CAF Outcome Area | NIS2 Alignment | ISO/IEC 27001 Clause | DORA Article |
| Governance & Risk | Board accountability | A.5.1 — Information Security Policies | Art. 5 — Governance Framework |
| Threat Understanding | Risk-based approach | A.6.1 — Information Security Risk Assessment | Art. 8 — ICT Risk Mgmt |
| Software Assurance | Supply-chain risk | A.14.2 — System Development Security | Art. 28 — ICT Third-Party Risk |
| Monitoring & Response | Incident handling/reporting | A.16.1 — Information Security Incidents | Art. 19 — Incident Reporting |
| Recovery & Continuity | Business continuity & testing | A.17.1 — Information Security Continuity | Art. 24 — Resilience Testing |
By maintaining a crosswalk matrix, organizations can reuse existing evidence across multiple audits, reducing administrative burden and focusing on real improvements to resilience.
FAQs About the UK Cyber Assessment Framework (CAF v4.0)
Is CAF mandatory?
CAF itself is not legally binding, but regulators in many critical sectors adopt it as their assessment framework. For operators of essential services, alignment with CAF outcomes is often expected under the UK’s NIS Regulations and assurance schemes like GovAssure.
How is “evidence” defined?
Evidence must be verifiable artifacts, not just policy statements. Examples include: logs, SBOMs, penetration test results, remediation records, incident playbooks, and recovery test outcomes.
What’s different for suppliers and third parties?
Vendors can no longer rely on self-attestation. CAF v4.0 expects continuous assurance, including SBOMs, vulnerability reports, remediation proof, and monitoring data from critical suppliers.
How do we show progress to regulators?
Organizations should track Key Risk Indicators (KRIs) such as detection times, remediation rates, and vendor compliance status. Progress is demonstrated through outcome dashboards, exercise results, and evidence libraries.
Does CAF v4.0 address AI risks?
Yes. CAF v4.0 integrates AI under the lens of threat modeling and software assurance. Organizations must consider how AI tools, data models, and automated systems may introduce new vulnerabilities or alter attacker methods.