The U.K. National Cyber Security Centre (NCSC) on Wednesday released Cyber Assessment Framework v4.0 (CAF v4.0) in response to the growing cyber threat landscape. The updated framework is designed to help providers of essential services strengthen their cyber risk management and resilience. It offers a structured, comprehensive approach to evaluating how effectively cyber risks to critical functions are being addressed. Assessments can be conducted internally or by an external body, such as a regulator, oversight entity, or an NCSC-assured commercial provider.
CAF v4.0 introduces four major changes. It adds a new section focused on developing a deeper understanding of attacker methods and motivations to support more informed cyber risk decisions. Another new section emphasizes the need to ensure that software used in essential services is developed and maintained securely. The framework also updates the section on security monitoring and threat hunting to enhance the detection of cyber threats. Finally, it strengthens the coverage of AI-related cyber risks across the entire framework.
“The CAF is primarily designed for CNI organisations operating essential services across energy, healthcare, transport, digital infrastructure and government sectors, helping them to meet legal and regulatory requirements such as the NIS Regulations,” Stephen D, Support to Regulation Team, wrote in a blog post. “It does this by providing a comprehensive framework for assessing how well an organisation is meeting expected security and resilience outcomes, identified as appropriate in relation to a particular level of threat.”
Stephen noted that the NCSC has produced this update in full consultation with the cyber regulators and other cyber oversight bodies that use the CAF. Their feedback was extremely helpful, and it was carefully considered throughout the development of CAF v4.0.
Since the release of CAF v3.2 last April, adoption of the Cyber Assessment Framework has expanded significantly. It is now used by nearly all U.K. cyber regulators and by GovAssure, the national cybersecurity assurance scheme for critical infrastructure. The adoption comes as cyber threats targeting the U.K.’s critical national infrastructure have grown more severe. As attack methods evolve, closing the widening gap between escalating threats and current defensive capabilities has become increasingly urgent.
The CAF has been designed to support meaningful, outcome-driven cyber resilience assessments. It aims to avoid a checkbox approach, aligning instead with the NCSC’s principles of security and resilience. The framework is compatible with existing cybersecurity guidance and standards, and helps identify practical improvements. It is built as a sector-agnostic core that can be extended to include sector-specific needs where necessary. The CAF also allows for the setting of realistic, regulator-informed target security levels and is intended to be straightforward and cost-effective to apply.
Each top-level NCSC security and resilience principle defines a broad cybersecurity outcome. The precise approach organizations should adopt to achieve each principle is not specified, as this will vary according to organisational circumstances. However, each principle can be broken down into a collection of lower-level contributing cybersecurity and resilience outcomes, all of which will normally need to be achieved to fully satisfy the top-level principle. An assessment of the extent to which an organisation is meeting a particular principle is accomplished by assessing all the contributing outcomes for that principle.
The core of the CAF is designed to be sector-agnostic and broadly applicable to all organizations responsible for essential functions across key sectors. However, there may be a need to tailor certain aspects of the CAF for specific sectors. Some target profiles could be sector-specific, depending on how cyber oversight bodies choose to interpret CAF results, particularly from a regulatory standpoint. In some cases, sector-specific interpretations of contributing outcomes or indicators of good practice may be required to clarify their meaning within a particular context.
Additionally, there may be instances where generic outcomes or indicators do not sufficiently address a sector’s cybersecurity needs, requiring the definition of new, sector-specific elements. The NCSC will continue engaging with stakeholders to assess the need for such adaptations and to support the development and implementation of any necessary sector-specific components.
To support assessments at the level of contributing outcomes, each outcome is linked to a set of indicators of good practice (IGPs). These IGPs define the conditions under which an outcome is considered ‘achieved,’ ‘not achieved,’ or, in some cases, ‘partially achieved.’ For clarity and ease of use, the IGPs for each contributing outcome are organized into tables, referred to as IGP tables, which serve as the foundational elements of the CAF. Each principle is supported by several IGP tables, with one table corresponding to each contributing outcome.
Assessing contributing outcomes relies primarily on expert judgment. The indicators of good practice (IGPs) are designed to guide the process but do not replace the need for cybersecurity expertise and sector-specific knowledge. While IGPs offer a useful starting point, they should be applied with flexibility and in conjunction with NCSC guidance tied to the overarching cybersecurity and resilience principles. Final conclusions about an organisation’s posture should take into account all relevant factors, including special circumstances.
The ‘achieved’ (green) column in each IGP table outlines the typical characteristics of an organisation fully meeting the outcome. Generally, all listed indicators should be present to support an ‘achieved’ assessment, unless a particular indicator is not applicable due to effective compensating controls. The ‘not achieved’ (red) column defines traits of an organisation that do not meet the outcome. The presence of even one such indicator is typically sufficient to justify this assessment.
Where applicable, the ‘partially achieved’ (amber) column describes an organisation that meets the outcome to some extent. This assessment should reflect tangible cybersecurity or resilience benefits, not simply token efforts, and indicate meaningful progress, not just superficial activity.
The NCSC identifies that the result of applying the CAF is 41 individual assessments, each one derived from making a judgment on the extent to which a set of IGPs reflects the circumstances of the organisation being assessed.
The CAF has been designed in such a way that a result in which all 41 contributing outcomes were assessed as ‘achieved’ would indicate a level of cybersecurity some way beyond the bare minimum ‘basic cyber hygiene’ level. A cyber oversight body will need to set target levels of cyber resilience for organisations within their sector. One way of setting these target levels is concerning the ability to withstand specified categories of cyber attacks, and the CAF has been designed to support this approach via the idea of CAF profiles.
The NCSC has collaborated with regulators and other oversight bodies to develop an approach for interpreting CAF output, focusing on identifying the contributing outcomes most critical to managing security risks to an organisation’s essential functions. These priority outcomes reflect what is considered appropriate and proportionate cybersecurity for that organisation and form the basis of a CAF profile—a structured set of target outcomes an organisation should aim to achieve.
A CAF profile typically includes a combination of outcomes to be met at different levels: some at ‘achieved’, others at ‘partially achieved’, and some possibly marked as ‘not applicable’ where certain capabilities are not relevant. Defining what constitutes appropriate and proportionate cybersecurity is not the role of the NCSC. Responsibility for setting target levels within the CAF rests with the relevant cyber oversight body.
In May, the NCSC warned that U.K. critical systems are facing growing risks due to a widening ‘digital divide’—the gap between organizations that can adapt to AI (artificial intelligence)-enabled threats and those that cannot. In a report released on the opening day of the CYBERUK conference, the NCSC warned that developments in AI are likely to accelerate the time between the discovery of software vulnerabilities and their exploitation by malicious actors, highlighting the growing cyber threat expected between now and 2027.
