A short intro to the framework UK regulators use to assess cyber resilience: what CAF is, who uses it, and what changed in v4.0.
NCSC's description: "a tool provided by the NCSC to help organisations improve their cyber security and resilience." In practice, it's the assessment framework UK regulators use to supervise operators of essential services.
CAF doesn't prescribe specific controls. It defines outcomes you must achieve; how you get there is up to you. This is its biggest virtue and its biggest pitfall: flexibility for mature teams, paralysis for teams used to tick-box compliance.
A. Managing security risk. B. Protecting against cyber attack. C. Detecting cyber security events. D. Minimising the impact of incidents. Fourteen principles across them, broken into thirty-nine contributing outcomes, each with indicators of good practice (IGPs).
Achieved, fully evidenced across every material aspect. Partially Achieved, some aspects evidenced, some gaps. Not Achieved, evidence absent or the evidence contradicts the outcome. Regulators set target verdict levels per outcome via profiles.
NCSC released CAF v4.0 on 6 August 2025 with new guidance on attacker methods, secure software development, threat hunting, and AI-specific risks. GovAssure still runs on v3.2 at time of writing; sector regulators are adopting v4.0 on their own cadences.
CAF is the assessment backbone for most UK cyber-assurance regimes. Each regulator either extends CAF with sector content, or applies a target profile over the base framework.
Energy (Ofgem DGE), water (DWI eCAF), transport (DfT for rail/road/maritime; CAA for aviation via CAP 1753 & 1850), health (NHS DSPT), digital infrastructure. Competent Authorities use CAF to judge whether your systems are resilient enough to keep the service running.
Cabinet Office Government Security Group applies CAF across central departments and arms-length bodies via two profiles, Baseline (minimum) and Enhanced (higher-threat systems). Delivered via WebCAF. The full profile tables are private to assurance teams.
MHCLG (formerly DLUHC) runs a CAF for Local Government scheme for councils in England. Wales participates through the Welsh Government local-authority pilot. Northern Ireland's Department of Finance is an early adopter of NCSC's Cyber Resilience Audit.
Introduced November 2025, Royal Assent expected late 2026. Brings managed service providers, data centres, and additional digital service providers into scope, with CAF v4.0 committed as the binding baseline and 24-hour early incident reporting. If this lands on your desk, CAF is the language you'll need to speak.
Some UK regimes look adjacent but aren't CAF. Ofcom's Telecommunications Security regime runs a distinct control catalogue. Nuclear licensees are supervised via ONR's SyAPs. MoD suppliers use DefStan 05-138. If you're being asked to assess against one of those, CAF is the wrong starting point, though the underlying outcomes often map across.
If you ran a v3.2 assessment last year, here's what NCSC changed when v4.0 landed in August 2025.
New guidance that grounds risk management in what attackers actually do, not just abstract threat categories. Expect Competent Authorities to push harder on "who would target you, and why" during scoping conversations.
New section on secure software development and maintenance for essential services. Relevant for any operator writing or maintaining code in the scope of their essential function, including the SCADA or OT applications behind the plant.
AI threat considerations woven through the framework. If the client is adopting GenAI or has AI baked into an OT vendor stack, that's now in scope of the assessment, not a separate conversation.
Enhanced detection-side guidance, active threat hunting, enriched monitoring coverage expectations, proactive discovery of security events. Objective C is more demanding than it was in v3.2.
We build CAF Scout, an AI-assisted workbench for CAF engagements. Evidence tagging, AI-drafted verdicts you sign off, regulator profiles built-in, Excel round-trip, self-hosted, BYO LLM (or none at all).
See CAF Scout →The authoritative sources we rely on, plus practitioner writeups worth reading.
The Cyber Assessment Framework collection
CAF v4.0 release announcement (Aug 2025)
CAF supplementary information (sector regimes)