The NCSC have recently released version 4.0 of the Cyber Assessment Framework (CAF), a common framework to enable organisations to conduct cyber resilience assessments using an outcome-focussed approach. This quick reference article provides an update on the key additions in CAF 4.0 versus its predecessor; version 3.2.
Key updates to CAF 4.0
Proactive threat hunting
Version 4.0 focusses much more on ensuring organisations have a deeper understanding and organisational skillset in actively finding cyber threats before they have the chance of developing into a full-scale event. We can see this with the contributing outcome ‘Threat hunting’ replacing the previous objective ‘Proactive attack discovery’, with a greater emphasis on ensuring resources are assigned to proactively identifying and analysing threats to the organisation’s essential functions.
Action: Review threat hunting capabilities, ensuring sufficient resources and skillsets are in place to proactively identify and analyse threats to essential functions.
Understanding threats
Building on proactive threat hunting is an updated emphasis on principle 'A2.b: Understanding threat'. This reinforces the need for organisations to not simply be aware of cyber threats, but to demonstrate a clear grasp of how threat actors could impact essential services. It brings threat intelligence to the forefront, requiring organisations to not just consume intelligence but to operationalise it, aligning intelligence feeds to their environment, using it to inform decisions, prioritise vulnerabilities and feed back into security operations.
By gaining a clearer understanding of how cyber threats could impact your essential functions, you can fine-tune your threat intelligence tools to become far more effective. If this capability isn’t in place yet, now is the time to look at threat management tools, proactive hunting and stronger security culture to help close this gap.
Action: Establish robust processes to identify, analyse and build detection and response capabilities based on the outputs of threat hunting activities.
Supply chain & third-party risk
CAF 4.0 principle 'A4.a: Supply chain' places greater emphasis on how well organisations understand and manage the cyber risks posed by their suppliers. Rather than simply having SLAs in place, organisations must now be able to evidence how third-party access, platforms and software suppliers are assessed, monitored and incorporated into security operations.
Moving on from CAF 3.2 where supplier due diligence was present but more narrowly scoped., the additions made within various indicators of good practice (IGPs) will mean improving due diligence processes and having a structured third-party assurance model in place.
Action: Implement structured third-party risk management and that conduct thorough supplier due diligence.
Secure software development
Finally, a large-scale change from CAF 3.2 comes the formal recognition of secure software development practices. CAF 4.0 introduces explicit expectations within principle ‘A4.b: Secure software development and support’ around how software is built and maintained, not just procured. This means secure coding, regular code review, vulnerability scanning and development pipelines that prioritise security from the outset.
Where CAF 3.2 largely focused on operational controls, CAF 4.0 calls for security to be embedded in the design and development lifecycle. This may challenge organisations who rely on third parties or legacy development practices, but it also presents an opportunity to align development and security under one strategic roof.
Action: Ensure secure development practices are defined, communicated and embedded.
Why this matters
CAF 4.0 gives organisations a more targeted approach to security management and shifts to a truly proactive security culture. The focus is now squarely on looking ahead, identifying future risks to your essential functions and staying one step ahead of the threats targeting them.
Most importantly, for organisations likely to fall under NIS2 as operators of essential services, CAF 4.0 is the ideal foundation. Using it now as a benchmark for best practice will make future compliance with competent authorities far easier.
What should organisations do next?
With the number of changes across controls, and the updated language in the IGPs, it's essential that internal cyber and information security programmes are brought in line with this new edition. For most, this will mean refreshing internal procedures and policies to demonstrate compliance.
The most effective route for gaining a complete understanding? Conducting a structured CAF Gap Analysis.
This will offer a clear roadmap and remediation plan to close the gaps and embed CAF 4.0. By acting early on, organisations are far less likely to be caught out in a threat environment that is constantly evolving alongside compliance regimes that are looking at moving cyber security to a more proactive, community focused footing.
If you could benefit from support with a CAF Gap Analysis, CSA Cyber is here to help.
Conclusion
CAF 4.0 marks a significant shift in how organisations must approach cyber resilience, moving from reactive compliance to proactive, intelligence-led security. With new expectations around threat hunting, secure development, and supply chain assurance, aligning with the framework is no longer optional for those operating in regulated sectors.
By understanding these changes and acting early, organisations can not only meet the standard but build lasting resilience against evolving threats.
CAF 4.0 demands immediate attention
These updates that could leave previously compliant organisations exposed, making reassessment essential. If you're unsure where to begin, CSA Cyber’s ASSURE-accredited consultants are here to help.
From gap analysis to remediation planning, we’ll guide you through every step of CAF 4.0 alignment. Book a free discovery consultation or click here to learn more about our CAF consultancy services.
Cyber Security Associates
