CAF v4.0 is the latest version of the Cyber Assessment Framework, and was published by the NCSC on 6 August 2025. It is perhaps the most significant revision of the framework since the CAF was first introduced in 2018. Alongside small tweaks and amendments, CAF v4.0 introduces or expands on a number of important concepts as well as including 108 new Indicators of Good Practice (IGPs).
If your organisation uses the CAF, it is important you understand these changes and consider what they mean for your internal controls and cyber operations. In this blog, we will outline the most significant changes and some of the factors you will need to consider. There are many additional changes that have been made throughout the CAF which we won’t be able to cover in the scope of this blog.
Understanding and Identifying Threats
A2.b Understanding Threat
The concept of understanding your organisation’s threat landscape and reflecting it in your risk management decision making dates back to CAF v1.0. However, CAF v4.0 consolidates and expands on these requirements in a new Contributing Outcome A2.b: Understanding Threat.
This new contributing outcome requires Operators of Essential Services (OES) to demonstrate a more rounded and mature approach to threat analysis. This includes not just understanding likely threats, but also having documented methodologies to conduct threat analysis. You must also demonstrate an ability to model likely attack scenarios (for instance, using attack trees or similar methodologies). Success here is predicated on your organisation having an accurate understanding of its network and system architecture.
C2.b Threat Hunting & C1.f Understanding User's and System's Behaviour, and Threat Intelligence.
Contributing Outcome C2.b Proactive Active Discovery has also been comprehensively rewritten and is now named ‘Threat Hunting’, alongside a new Contributing Outcome C1.f Understanding User's and System's Behaviour, and Threat Intelligence.
Collectively, these amendments are a step change in the expectations your organisation will face in terms of your ability to absorb and actively make use of threat intelligence, and to proactively share this intelligence with the wider community.
Previously, the CAF required that organisations ‘routinely search for system abnormalities indicative of malicious activity’. Version 4.0 introduces a range of new requirements. Your organisation needs to demonstrate a far more mature understanding of, and ability to apply or draw on, threat hunting skills and resources.
Threat hunting activity must be purposeful and follow a structured approach. To meet the ‘Achieved’ requirements, threat hunting must also be risk- and intelligence- led and proactively search for hostile tactics, techniques and procedures, rather than being limited to basic indicators of compromise such as hostile IP addresses.
These changes reflect the growing consensus that organisations need to adopt an ‘assumed breach’ mentality rather than relying solely on preventative defences like firewalls and anti-virus tooling. Modern attacks can bypass these controls without generating alerts, for instance, leveraging identity-based attacks. If your organisation can actively search out these attacks, it can both improve your security posture and provide insights to help you better target investment decisions and resources.
If your organisation already has a proactive threat hunting programme, consider whether it meets these requirements. If you do not currently undertake any meaningful proactive threat discovery work, now is the time to think about how to do so, and to implement threat hunting in a structured way which will meet the CAF requirements.
Software Development
A4.b Secure Software Development and Support
All organisations rely on internally or externally developed software which can introduce exploitable vulnerabilities, either at the point of deployment or over the lifetime that the software is in use. For instance, poor coding practices or a reliance on untested or easily manipulated external libraries can introduce vulnerabilities.
Previous versions of the CAF have focused primarily on the need for controls on the detection of unauthorised software within an organisation’s environment and encouraging regular patching in response to identified vulnerabilities. Version 4.0 goes much further, introducing a new Contributing Outcome A4.b Secure Software Development and Support that explicitly includes concepts such as code provenance (sometimes called a software bill of materials), static and dynamic code analysis, the use of secure software distribution channels, and securing open source software.
Meeting the ‘Achieved’ IGPs also requires that your suppliers can evidence that they use recognised secure software development frameworks. NIST SSDF and Microsoft’s SDL are referenced as examples, representing the first time that specific frameworks have been called out in the CAF. Key third-party components that are integrated into software packages must also be actively monitored for vulnerabilities throughout the product’s lifecycle.
Software integrity failures have been recognised as part of the OWASP Top 10 since 2021, and there have been a number of well-known attacks including Log4j and the manipulation of repositories such as Github, npm and PyPI. However, many organisations still accept vendor security claims at face value. Accordingly, the NCSC have placed greater prominence on software development security in the CAF.
Critical infrastructure organisations have significant purchasing power and important relationships with a wide range of vendors. The government will be hoping that by driving CNI operators to have tougher and more mature conversations with suppliers, they can help to encourage higher levels of maturity and adoption of secure software development practices, which will benefit all consumers.
We expect that meeting these requirements will be a significant challenge for some organisations. It will require a strong understanding of your supply chain, detailed conversations with vendors, and may ultimately mean you need to make changes to contractual terms and conditions, and software procurement / onboarding processes and ways of working. It may also require greater investment in your assurance capabilities. If you are not already having these conversations with your supply chain, then now is the time to start.
Artificial Intelligence
A2.a Risk Management Process & B4.a: Secure by Design
No discussion in cyber is now complete without referencing AI (or ‘automated decision-making technologies’ as it’s referred to in the CAF). Some in the community expected CAF Version 4.0 to focus heavily on this area, but the changes at this stage are more modest and focused on explicitly requiring that these technologies are designed and implemented in a way which prevents them from being exploited to conduct hostile acts against your critical systems. There are also minor additions to Contributing Outcome A2.a Risk Management Process that touch, slightly obliquely, on the need to consider ‘new and emergent technologies’ and ‘technological developments’ in your risk assessment processes.
However, don’t lose sight of the fact that a range of other parts of the CAF are still relevant to AI technologies – including Principle B3 (Data Security) – and if you are deploying AI technologies you should be explicitly considering them through a CAF lens.
What Does CAF v4.0 Mean for Operators of Essential Services?
Competent Authorities are expected to adopt Version 4.0 for their sectors, but this is a complex process, and some Competent Authorities may also want to make sector-specific adjustments to Version 4.0 before rolling it out. Profiles, which determine the level of performance an OES must demonstrate, will also need to be updated to reflect the new Contributing Outcomes. This means that in most cases OES will not be expected to formally assess their performance against CAF Version 4.0 for some time.
However, this does not mean that we recommend simply waiting to be directed by your Competent Authority before you start using Version 4.0. The entire premise of the CAF is that it is an outcome-focused framework to support organisations in understanding whether they’re managing cyber risk effectively. Mature organisations should be proactive in reflecting on the changes. Given the extent of these changes within Version 4.0, most organisations will need to take action before they can demonstrate that they are meeting the new requirements..jpg?sfvrsn=680254a0_1 "Scott-Hudson-3 (1)")
