The NCSC’s Cyber Assessment Framework 4.0 brings a tighter, more actionable standard for managing cyber risk in government. It refines the language, expands certain objectives, and introduces new contributing outcomes that address current threats and operational realities.
This matters because the Cyber Assessment Framework is expected to gain statutory footing under the forthcoming Cyber Security and Resilience Bill. Departments and authorities will be required to evidence compliance and demonstrate proportionate improvement over time—moving from voluntary alignment to enforceable standards.
Key changes in CAF 4.0
CAF 4.0 expands from 39 to 41 contributing outcomes, with notable updates in four areas:
- Threat understanding (A2.b) – now a stand-alone outcome, requiring formal integration of threat intelligence into risk decisions.
- Secure software development and support (A4.b) – applies to in-house and third-party software, with evidence required for security and ongoing support.
- Security monitoring (C1) and threat hunting (C2) – greater detail on log enrichment, behaviour analytics, and structured hunting, with findings converted into repeatable detections.
- Response and recovery (D1) – stronger expectations for realistic, tested incident response and continuity plans, including supplier participation.
These are not only technical changes. They require leadership attention, contractual adjustments, and measurable performance tracking.
Why do these updates matter?
Because CAF 4.0 changes what “good” looks like and how it’s proven.
It pushes leaders to base risk decisions on real threat intelligence, not internal assumptions. It also makes suppliers and software accountable with evidence, not claims. It expects monitoring, hunting and recovery to work under pressure, not just on paper.
The bottom line is, if you re-evaluate risk processes, supplier contracts, and operational readiness against CAF 4.0, you cut time to detect, contain and recover – and you can show that resilience to boards, auditors and the public.
A2.b – Understanding Threat (new contributing outcome)
Previously, threat awareness was embedded within broader risk management. CAF 4.0 elevates it to a dedicated outcome. Leaders must now evidence how adversary capabilities and sector-specific intelligence are integrated into risk decisions.
What to re-evaluate: Boards should revisit how risk assessments are performed and confirm they draw on trusted external sources, such as NCSC advisories and law enforcement intelligence. This strengthens the case for structured intelligence feeds and monitoring services that translate intelligence into detection rules.
A4.b – Secure Software Development and Support (new contributing outcome)
Earlier CAF versions placed less emphasis on the provenance of software. Now, organisations must verify secure development practices, ongoing support and lifecycle management.
What to re-evaluate: Procurement and IT teams will need a clear view of software origins and maintenance commitments. Vendor assurances alone no longer suffice. This affects not just enterprise applications but the tooling underpinning SOC and MDR operations, from EDR agents to SIEM integrations.
C1 – Security Monitoring (expanded)
Where CAF 3.2 required monitoring and investigation of logs, CAF 4.0 expands expectations to cover enrichment, correlation, baselining of behaviour, retention, and structured triage.
What to re-evaluate: Leaders should confirm whether existing monitoring covers all critical assets and whether escalation processes work under pressure. This is often where teams must decide whether to build capacity internally or turn to managed SOC services to meet the baseline.
C2 – Threat Hunting (new!)
Threat hunting is entirely new. CAF 4.0 expects organisations to conduct structured, hypothesis-driven hunts, converting findings into repeatable detections and playbooks.
What to re-evaluate: Leaders need to decide whether they can realistically sustain regular hunting internally or whether it makes sense to source this capability externally.
This requirement gives a tangible benchmark to evaluate MTDR or SOC providers against.
D1 – Response and Recovery (expanded)
Earlier frameworks focused on written plans. CAF 4.0 requires realistic, tested scenarios that include ransomware and supplier failures, with defined recovery sequences and clear communication channels.
What to re-evaluate: Leaders should verify that backups are not just documented but operational and tested, and that suppliers are included in exercises. This aligns with a wider expectation for joint simulations and supplier-inclusive continuity testing.
Support for practical implementation
While CAF 4.0 defines the “what”, each organisation still needs to determine the “how” in its own context. At e2e-assure, we work with government departments and critical national infrastructure organisations to interpret the framework in practice. Our teams run CAF assessments, provide NCSC-aligned recommendations, and build pragmatic improvement plans that reflect each organisation’s maturity, resources and essential functions.
To make this more accessible, we’ve also created a high-level MDR Buyer’s Guide Checklist mapped directly to CAF 4.0. It gives public sector teams structured questions to ask when evaluating their monitoring, detection and response arrangements, mapped against CAF 4.0. Such as:
- Do contracts include clear incident coordination and escalation paths? (CAF A4 – Supply Chain)
- Do they perform structured, regular threat hunting and convert findings into detections? (CAF C2 – Threat Hunting)
- Are response plans tested against realistic scenarios, such as ransomware or supplier outages, with lessons learned? (CAF D1 – Response and Recovery)
You can download the checklist here: https://e2e-assure.com/wp-content/uploads/2025/08/CAF-4.0-Aligned-MDR-Buyers-Checklist.pdf