CAF v4.0 signals intent for future regulation

Carl Hunt at Beyond Blue explains the interconnection between the UK’s Cyber Security and Resilience Bill Policy Statement and the NCSC’s Cyber Assessment Framework

 

The NCSC’s Cyber Assessment Framework (CAF), first released in 2018, has become the go to reference for operators of critical infrastructure and their regulators. Over the years it has evolved as threats change and our approach to cyber-security has matured.

 

The latest version (v4.0), released on the 6th August 2025, not only represents a response to the latest threats, but is deeply interconnected with the strategic priorities and legislative proposals outlined in the Cyber Security and Resilience Bill Policy Statement.

 

Both documents underscore an effort by the UK government to bolster the nation’s cyber-resilience in response to rapidly escalating and increasingly sophisticated cyber-threats.

 

The Cyber Security and Resilience Bill

The Cyber Security and Resilience Policy Statement, sets the stage for a Cyber Security and Resilience Bill, which is expected to be brought to Parliament this autumn. 

 

The statement highlights "unprecedented threats to our critical national infrastructure", noting that hostile cyber-activity has "grown more intense, frequent, and sophisticated" from organised crime groups and state sponsored threat actors.

 

A key concern is that “resilience is not improving at the rate necessary to keep pace with the threat". This concern is heightened by recent advances in technology, including the use of artificial intelligence by threat actors, which is increasing the sophistication and speed of attacks.

 

It’s clear the CAF is now aligned with the Cyber Security and Resilience Bill Policy Statement and it provides a blueprint to help organisations operationalise the recommendations. It is also likely to form the basis for detailed regulation.

 

The changes also signal an important shift from mere compliance to dynamic cyber-resilience.

 

CAF 4.0

The CAF  significantly expands requirements for a more rounded and mature approach to threat analysis. It places greater emphasis on understanding attackers, their techniques, tactics, and intent, requiring organisations to demonstrate effective controls against sophisticated threat actors who possess extensive resources, long-term strategic objectives, and deep technical capability.

 

This addresses the Policy Statement’s concern that hostile cyber-activity has "grown more intense, frequent, and sophisticated" and that the threat landscape is "diffuse and dangerous".

 

Secure Software Development and Support is now an integral part of the CAF, which emphasises integrating security throughout the software development lifecycle, requiring evidence of code provenance, static and dynamic code analysis, secure software distribution, and securing open-source software.

 

It also mandates that suppliers evidence the use of recognised secure software development frameworks and actively monitor key third-party components for vulnerabilities.

 

These changes could be a direct response to recent incidents, such as CrowdStrike, plus emerging trends, such as Vibe Coding, and an underlining concern that many developers and organisations do not have a sufficient understanding of their Software Bill of Materials (SBOM).

 

The Policy Statement also explicitly identifies that supply chains are particularly vulnerable and proposes strengthening security and enabling regulators to identify Designated Critical Suppliers (DCS). This will certainly encompass Managed Service Providers, but it could also expand the scope for Relevant Digital Service Providers (RDSP) to SME and micro businesses, where they provide vital services.

 

The new CAF also puts greater emphasis on strengthening operational practices with a focus on security monitoring, incident response and organisational culture.

 

Operators of Essential Services (OES) are expected to maintain accessible, well-structured security logs, apply effective playbooks during triage, and develop a baseline of normal user behaviour to guide decisions during incidents.

 

This plays directly to the commitment in the Policy Statement for "improved incident reporting to improve our understanding of the threats", and the Bill’s proposed two-stage reporting structure (initial notification within 24 hours, full report within 72 hours), which is likely to stretch many organisations and could be unrealistic to achieve.

 

Perhaps most notably, the revised CAF elevates board accountability, requiring members to have a deeper understanding of technology and cyber-risk to make better informed decisions and actively oversee organisational resilience.  

 

Furthermore, resilience language is now woven into areas that were previously framed purely around security, reframing security as part of a broader resilience objective. There is more to do here to help organisations bridge the divide between security and resilience. Two communities who often have very different world views ultimately must work together to achieve resilience to cyber-threats.

 

The Policy Statement also aims to "put regulators on a stronger footing" and ensure that firms "can invest in cyber-security with greater clarity on what is required". The emphasis on board literacy is essential to achieving this objective and for boards to effectively work with regulators.

 

Whilst the implementation of the CAF, and its tailoring to the needs of specific sectors, sit with the Competent  Authorities, the changes to the framework provide a clear indication of the government’s intent for improved resilience.

 

It’s important also that organisations currently not designated as OES or RDSP take notice. Under the proposed Cyber Security and Resilience Bill, the scope of both OES and RDSP is changing, bringing many new organisations into scope of the CAF, in part or in full.

 

Be prepared, regulation is coming, and the latest CAF provides a clear indication of the expectations of the NCSC, and ultimately the government over the resilience of our digital infrastructure.

 

---

 

Carl Hunt, director, Beyond Blue

 

Main image courtesy of iStockPhoto.com and PUGUN SJ