The CAF is a sector-agnostic tool developed by the NCSC to provide organizations with a structured approach to assess, achieve, and demonstrate an appropriate level of cyber resilience.
Key takeaways
Cyber resilience is a public service necessity. Rising nation-state attacks threaten critical infrastructure and sensitive data. Adopting an outcome-based framework enables organizations to maintain essential services despite persistent, sophisticated threats.
Asset visibility is the foundation of CAF Objective A. Organizations cannot manage security risks without a complete understanding of their infrastructure; automated discovery of shadow APIs and assets is essential to meeting core asset management principles.
Zero Trust is central to achieving CAF Objective B. To protect against cyberattacks, organizations must transition from perimeter defense to granular, identity-based access and microsegmentation that prevents lateral movement within essential systems.
CAF v4.0 mandates proactive detection over reactive monitoring. Meeting Objective C requires shifting from basic log analysis to advanced threat hunting and behavioral observation to identify hidden adversaries before they can impact essential functions.
- Supply chain integrity is a critical CAF security outcome. Security must be embedded throughout the software lifecycle and third-party script executions to protect the provenance of components and the safety of citizen data.
Frequently Asked Questions (FAQ)
It is designed for organizations subject to NIS regulations, those managing Critical National Infrastructure (CNI), and public sector entities that support core government functions or manage public safety risks.
Version 4.0 of the Cyber Assessment Framework was released in August 2025.
The framework is built upon four high-level objectives and 14 principles, which are measured through 41 contributing outcomes and specific indicators of good practice.
The objectives are Objective A: Managing security risk; Objective B: Protecting against cyberattack; Objective C: Detecting cybersecurity events; and Objective D: Minimizing the impact of incidents.
The updated framework (Principle A2.b) requires organizations to understand threat actors’ capabilities and techniques while integrating specific threat intelligence into their risk management decisions.
Under Principle C1.f, organizations must now go beyond traditional log analysis to understand user and system behavior, allowing them to identify anomalies that indicate malicious activity.
The initial phase involves “Understanding your needs,” which requires identifying essential functions that rely on critical IT systems and prioritizing risks based on potential threats and vulnerabilities.