UtopianKnight Consultancy – James Griffiths

STRATEGIC | TECHNICAL | ADVISORY | AI | DEVELOPMENT | vCTO | CYBER | ICS & OT

, , , , ,

CAF 4.0 Has Landed: What the New Cyber Assessment Framework Means for UK Organisations

·

by

UtopianKnight

The UK’s National Cyber Security Centre (NCSC) has officially released version 4.0 of the Cyber Assessment Framework (CAF) a significant update that reflects the changing cyber threat landscape, technological advancements, and evolving regulatory needs.

With CAF becoming the de facto benchmark for assessing cybersecurity maturity across critical national infrastructure (CNI), government bodies, and regulated sectors, version 4.0 brings several key updates that organisations must understand and act on.

In this article, we break down:

  • What CAF is and its importance
  • Key changes introduced in version 4.0
  • What those changes mean for cybersecurity teams, leadership, and regulators
  • Next steps for aligning your organisation with CAF 4.0

What Is the Cyber Assessment Framework?

The Cyber Assessment Framework (CAF) is a comprehensive set of guidelines and outcomes developed by the NCSC to help organisations measure and improve their cyber resilience. Originally launched in 2018, the framework was designed to support compliance with the NIS Regulations (2018) and has since evolved into a broader tool used across many sectors.

CAF is outcomes-focused rather than control-based. It doesn’t prescribe exact technologies but instead describes what good cybersecurity outcomes should look like, giving organisations flexibility in implementation while still aligning with national standards.

Why CAF 4.0 Was Necessary

Several forces have driven the need for CAF 4.0:

  • The cyber threat landscape has intensified, with more sophisticated ransomware, nation-state actors, and supply chain attacks.
  • Emerging technologies such as AI, OT/IT convergence, and cloud adoption have introduced new risks.
  • Regulatory changes, including updates to the NIS Directive (NIS2), have shifted expectations around risk management and supply chain governance.
  • Lessons learned from applying previous versions of CAF across sectors showed where clarification, alignment, or simplification was needed.

CAF 4.0 is not a rewrite it’s a refined and enhanced version designed to ensure continued relevance, consistency, and usability.

Key Changes in CAF 4.0

1. Stronger Alignment with NIS Regulations and NIS2

CAF 4.0 is explicitly aligned with the expectations of the NIS Regulations and pre-emptively reflects many elements of the upcoming NIS2 Directive, such as:

  • Greater emphasis on incident response and business continuity
  • Expanded scope to include supply chain security
  • Enhanced focus on governance, leadership, and accountability

Organisations regulated under NIS should see clearer correlations between CAF outcomes and compliance obligations.

2. Updated Structure and Clarified Language

One of the biggest criticisms of earlier versions was the ambiguity in language and overlaps between objectives. Version 4.0 has addressed this with:

  • Clearer, more concise outcome statements
  • Removal of redundant or repetitive language
  • Improved descriptions of what constitutes basic, good, and advanced implementation levels

This makes the framework easier to understand and more practical for real-world assessments.

3. New and Updated Contributing Outcomes

Some contributing outcomes have been added, merged, or refined to reflect emerging risks and best practices:

  • Introduction of outcomes related to AI and automation risk management
  • Expanded treatment of software supply chain security
  • Enhanced focus on monitoring and detection capabilities, including threat intelligence integration
  • More robust guidance on incident preparation and exercising

Organisations will need to reassess their existing controls and determine whether they meet the spirit and detail of the updated outcomes.

4. Maturity Model Adjustments

The three-tiered maturity model (Basic, Good, Advanced) remains, but the descriptions have been:

  • Rewritten for clarity and consistency
  • Enhanced to better reflect progressive maturity and realistic implementation

For example, what was previously considered “Advanced” in some areas may now be reframed based on current expectations, particularly with cloud, endpoint security, and OT networks.

5. Simplified Implementation Guidance

CAF 4.0 has been published alongside new supporting documentation that helps organisations:

  • Understand the rationale behind each outcome
  • Align CAF with existing frameworks like ISO 27001, NIST CSF, and CIS Controls
  • Prepare for assessments using real-world scenarios and sector examples

This removes a lot of guesswork and supports internal teams in translating outcomes into actionable strategies.

6. More Explicit Executive and Governance Responsibilities

The role of leadership and governance in cybersecurity has been elevated, with CAF 4.0 reinforcing:

  • Board-level accountability for cyber risk
  • Need for executive awareness of threat scenarios
  • Involvement of senior leaders in incident response planning and testing

CAF is no longer just a tool for technical teams. Executive teams must now demonstrate oversight and decision-making aligned with the framework.

7. Integration with Risk Management Principles

Risk management is now more deeply embedded throughout the framework, including:

  • Greater alignment with organisational risk appetites
  • Emphasis on risk-based prioritisation of controls
  • Guidance on integrating CAF assessments into broader Enterprise Risk Management (ERM)

This helps bridge the gap between cybersecurity and business risk, a critical point for regulators and insurers.

What CAF 4.0 Means for Organisations

A. Regulated Entities Must Act Quickly

Organisations in regulated sectors (energy, transport, water, healthcare, digital infrastructure, etc.) should:

  • Review the updated framework immediately
  • Map changes to their current CAF position
  • Prepare for re-assessment or audit based on 4.0 expectations

Non-compliance risks reputational damage, financial penalties, and weakened national resilience.

B. A Fresh Opportunity to Mature Security Posture

CAF 4.0 isn’t just about compliance it’s a strategic opportunity to:

  • Embed cyber risk into the culture of the organisation
  • Drive collaboration between IT, security, operations, and governance
  • Identify where investments are needed to keep pace with evolving threats

For many, it will act as the catalyst for prioritising modernisation efforts, such as implementing SIEM/XDR, enhancing IAM, and improving third-party risk management.

C. SMEs and Local Authorities Must Not Ignore CAF

While not all SMEs and local authorities fall under direct regulation, many are:

  • Part of supply chains to regulated entities
  • Providers of critical local services
  • Holding personal and sensitive data

CAF 4.0 provides a scalable framework that smaller organisations can adopt voluntarily to demonstrate due diligence and resilience. In fact, it’s becoming a common requirement in public sector procurement.

D. Leadership Must Be Ready to Own Cyber Risk

Senior leaders must now:

  • Be prepared to discuss cyber risks in governance meetings
  • Demonstrate how cyber outcomes align with business objectives
  • Ensure resources are allocated in line with CAF priorities

Cybersecurity is now a leadership and governance issue, not just an IT problem.

Next Steps for Aligning with CAF 4.0

  1. Download and Study the Updated Framework
    • The NCSC has published the full CAF 4.0 framework and supplementary guidance.
    • Read both to understand the language, structure, and expectations.
  2. Conduct a Gap Assessment
    • Map your current implementation against the new contributing outcomes.
    • Identify where existing controls need to evolve.
  3. Engage Leadership and Governance
    • Present the key changes and implications to senior stakeholders.
    • Secure buy-in for any resource or policy changes required.
  4. Update Your Risk Register
    • Reframe cyber risks based on the updated guidance.
    • Integrate CAF into existing ERM processes if not already done.
  5. Refresh Your Cyber Strategy
    • Prioritise gaps that intersect with legal, reputational, or operational risk.
    • Consider bringing in external partners to accelerate progress.
  6. Prepare for Assessment
    • Update internal documentation and evidence to reflect changes.
    • Schedule a formal internal or third-party CAF 4.0 readiness review.

Final Thoughts

CAF 4.0 is not a revolution, but it is a significant evolution. It reflects how far the cyber landscape has shifted since 2018 and ensures the UK remains at the forefront of cyber resilience.

For organisations, this update is both a wake-up call and an opportunity a chance to reassess assumptions, close critical gaps, and embed cyber risk at the heart of governance and operational decision-making.

Cyber threats aren’t slowing down. Neither should our defences.

Resources: