The Cyber Assessment Framework (CAF), provided by the National Cyber Security Centre (NCSC), has been updated in response to growing threats.

The tool helps organisations improve their cyber security and resilience, so they can protect critical services from cyber threats.

The CAF is mainly designed for CNI organisations operating essential services in areas including energy, healthcare, transport, digital infrastructure and government sectors, helping them to meet legal and regulatory requirements such as the NIS Regulations.

It provides a comprehensive framework for assessing how well an organisation is meeting expected security and resilience outcomes, identified as appropriate in relation to a particular level of threat.

The last version was published in April 2024 and its adoption has continued to spread. It's now used by nearly all UK cyber regulators and GovAssure, the cyber security assurance scheme for assessing the UK's critical national infrastructure (CNI).

Meanwhile, the cyber threat to the UK’s CNI has continued to increase. 

The CAF has been updated to ensure it remains relevant and ensure that organisations' defences are up to date.

Version 4.0 introduces four major changes including a new section on building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions and a new section on ensuring software used in essential services is developed and maintained securely.

There are also updates to the section on security monitoring and threat hunting to improve the detection of cyber threats and improved coverage of AI-related cyber risks.

The update has been produced in full consultation with the cyber regulators and other cyber oversight bodies that use the CA.