Navigating the NCSC Cyber Assessment Framework (CAF) 4.0: What You Need to Know

While many of us were enjoying summer holidays, the National Cyber Security Centre (NCSC) was busy. On 6th August, they released version 4.0 of their Cyber Assessment Framework (CAF), a significant update from version 3.2.

At first glance, the CAF looks familiar. Its structure and outcomes remain consistent, giving organisations continuity. But beneath the surface, this update brings over 100 new Indicators of Good Practice (IGPs) and a sharper focus on two critical areas: understanding threats in context and the active discipline of threat hunting.

Shifting the conversation

The updated framework introduces new outcomes that reshape how organisations approach cyber resilience.

• A2.b: Understanding Threat Organisations are now expected to move beyond generic risk registers. CAF 4.0 emphasises explicit attacker-path analysis, understanding how a real-world adversary could compromise essential functions and focusing defensive investment accordingly.
• A4.b: Secure Software Development & Support The new expectations align with best practices like SBOMs (Software Bills of Materials) and signed, attestable updates. In practice, this means organisations need to embed a secure SDLC approach, treating software provenance and update integrity as non-negotiable.
• C2: Threat Hunting (new principle) Perhaps the most notable addition, CAF 4.0 formalises the requirement for resourced, methodical hunts where findings don’t just sit in reports but are actively converted into new detections. This shift encourages organisations to take a proactive, intelligence-led stance on defence.

Indicators of good practice

The expanded IGPs reflect the NCSC’s recognition that cyber assurance is not only a technical challenge but an organisational one. Noteworthy updates include:

• Board direction and security as an enabler: Cyber is increasingly tied to essential-function continuity. Boards are expected to treat resilience as strategic, not just operational.
• AI and automated decision-making safeguards: As automation and AI become central to services, the CAF now signals the importance of designing with safeguards against misuse or bias.
• Contextualised threat intelligence: Organisations must go beyond collecting feeds. Threat intel must be actionable, relevant, and directly tied to monitoring outcomes.
• Offline incident response plans: In an age of ransomware and service disruption, CAF 4.0 calls for offline-accessible plans and a stronger emphasis on learning lessons after incidents.

What this means for organisations

The latest update makes one thing clear: the bar for cyber assurance is rising. It is no longer sufficient to “tick the box” on policies and controls. Instead, CAF 4.0 demands:

• Proactive threat understanding rooted in attacker-path analysis.
• Embedded security in software supply chains and development lifecycles.
• Operationalised intelligence that informs monitoring and detection.
• Cultural and board-level engagement where cyber resilience is core to continuity planning.

For many organisations, these requirements will feel ambitious. But they also provide a roadmap for maturing cyber resilience in line with modern threats.

How we can help

At TXP we have significant experience of supporting customers through their CAF journeys. More importantly, we’ve helped them translate findings into effective cyber hygiene programmes that make a measurable difference. CAF 4.0 raises expectations, but with the right prioritisation and execution, organisations can meet them without being overwhelmed.

If you would like practical, prioritised actions to strengthen your organisation’s cyber resilience, get in touch to hear about our structured Security Maturity Assessment, which leverages CAF and NIST frameworks to give you a clear view of your maturity and a roadmap for improvement.