The National Cyber Security Centre (NCSC) has launched Version 4.0 of its Cyber Assessment Framework (CAF), which is an important step forward in protecting the UK’s national infrastructure (CN) against the cyber threat landscape
The CAF Version 4.0 introduces key changes that are expected to help providers of essential services better assess and manage their cybersecurity risks.
Meeting the rising cyber threat
Since the last version of the CAF was released in April 2024, cyber threats to CNI have continued to escalate in complexity and frequency.
Attackers are using more advanced tactics, often targeting important sectors such as healthcare, energy, transport, digital infrastructure, and government services. The NCSC recognises that staying ahead of these evolving threats is essential to prevent disruptions to services that millions of people rely on every day.
The CAF Version 4.0 plays an important role in enabling organisations to build strong cyber resilience by providing a clear structure to assess whether their security and resilience measures are appropriate for the level of threat they face.
It is also used widely by the UK cyber regulators and is key component of GocAssure, the cyber security assurance scheme for CNI organisations.
What’s new in CAF Version 4.0?
CAF Version 4.0 introduces four new major updates designed to keep the framework in step with the modern threat environment and technological advancements:
- Understanding the attacker
A new section has been added to help organisations get a better understanding of attacker behaviour and motivations. This intelligence-led approach allows better risk-based decision-making and enhances the ability to anticipate and counter emerging threats.
- Secure software development
Recognising the growing importance of software security, CAF Version 4.0 includes a dedicated section focusing on the development and ongoing maintenance of software used in essential services. It highlights the need for secure coding practices and regular updates to reduce vulnerabilities.
- Better threat detection
Updates to the existing section on security monitoring and threat hunting improve an organisation’s capability to detect and respond to cyber threats. These changes emphasise proactive threat identification and the value of behavioural analysis and anomaly detection.
- Addressing AI-related risks
As AI becomes more integrated into operational environments, the framework now includes enhanced guidance on managing AI-related cyber risks. This ensures that organisations are aware of both the opportunities and threats set by AI technologies and are prepared to secure their use effectively.
Designed for essential services
CAF Version 4.0 is designed for organisations delivering essential services, helping them meet regulatory obligations such as the Network and Information Systems (NIS) Regulations. By aligning their defences with the framework, these organisations can show their commitment to protecting public services from significant cyber incidents.
The CAF Version 4.0 framework has been developed in full collaboration with cyber regulators and oversight bodies across the UK, ensuring that the changes reflect practical needs and sector-specific challenges.
The NCSC has confirmed that CAF will continue to evolve. Future versions will align with upcoming legislative changes, including the Cyber Security and Resilience Bill, expected to be introduced to Parliament later this year. Organisations are encouraged to adopt CAF Version 4.0 now to strengthen their resilience and stay ahead of regulatory developments.
In addition to the CAF, the NCSC offers other tools to support cybersecurity improvements, including Cyber Essentials, the Cyber Resilience Audit, and Cyber Adversary Simulation services.
