The NCSC's Cyber Assessment Framework has had its most significant update in years. Here's what you need to know.
Why this update matters
For years, the Cyber Assessment Framework (CAF) has been the defining compliance benchmark for operators of essential services and public sector organisations in the UK. However, v3.2 was showing its age. Written before widespread cloud adoption, before the surge in supply chain attacks, and before threat-informed detection became the industry standard, it left gaps that neither regulators nor organisations could comfortably ignore.
CAF version 4.0, published by the National Cyber Security Centre (NCSC) in August 2025, doesn't just patch those gaps - it restructures the entire framework. This isn't a minor revision. The four objectives remain (Govern, Protect, Detect, Respond), but almost every contributing outcome beneath them has been rewritten, renumbered, or extended. For organisations in the public and regulated sectors, the clock is now ticking.
The four biggest changes in CAF v4
Governance is no longer assumed, it is examined
In previous versions of the CAF, governance controls were relatively high-level. CAF v4 introduces explicit new contributing outcomes, such as Board Direction, Roles and Responsibilities, and Decision Making, that treat board-level accountability as something that must be actively demonstrated, not simply asserted.
Two new indicators of good practice (IGPs) are particularly significant. Boards must now show that they understand how security contributes to the resilience of the essential function - not just that they have a policy. Decision-makers must also be able to justify their risk management decisions.
What this means in practice is that a CISO presenting a dashboard to the board once a quarter is no longer sufficient evidence of achieved governance. The new framework expects security to be embedded in how the organisation runs, with clear ownership, documented escalation paths, and demonstrable board understanding.
Threat intelligence is now a standalone requirement
One of the most structurally important changes is the separation of 'Understanding Threat' into its own contributing outcome. In v3.2, threat analysis was buried within the broader risk management process. In v4, it stands alone - and the expectations have been raised substantially.
To achieve this, organisations must perform detailed threat analysis specific to their essential function, understand how threats apply in the context of their sector and wider national infrastructure, and anticipate technological developments that could be used adversely against them.
In plain terms, it means that you need an active, current, sector-aware threat picture. Generic threat feeds and annual threat reviews are unlikely to satisfy this. Organisations will therefore need either dedicated threat intelligence capability or a managed service that provides it.
Risk management has become more rigorous and traceable
The risk management process contributing outcome has been tightened in several ways. Risk assessments must now explicitly account for emerging technologies, not just current systems. Security requirements produced by the risk process must be both traceable and prioritised - a meaningful change from the previous wording. And risk assessments must be 'readily updated', not just updated.
CAF v4 also introduces a genuinely forward-looking expectation that sits within the risk management process: organisations must now demonstrate they are anticipating technological developments that could be used against them, not just managing risks that are already known. Few organisations currently have formal processes for this kind of horizon-scanning, and it represents one of the more demanding additions to the framework for teams whose risk processes are built around known and documented threats.
Detection and response: the bar has risen, but the structure has improved
Objective C (Detect) has been restructured to better reflect what good security monitoring actually looks like. The old 'Proactive Attack Discovery' contributing outcome has been removed, replaced by the more mature and operationally specific ‘Threat Hunting’.
The new contributing outcome explicitly requires organisations to demonstrate understanding of user and system behaviour, alongside the use of threat intelligence within security monitoring. This is UEBA, SIEM, and threat intel integration - described in framework language. Combined with expanded Personnel Skills for Monitoring and Detection, the message is clear: detection capability is now expected to be human-led, intelligence-driven, and continuously improving.
Objective D (Respond) has similarly matured. For example, organisations are now required to use incidents to drive improvements - with a structured feedback loop from post-incident analysis into security controls and processes. Incident response is no longer judged solely on speed of containment, but on whether it makes the organisation measurably better.
What an MSSP should cover - and what stays with you
We mapped our services directly against all 43 contributing outcomes in CAF v4. Here is an honest summary of where an MSSP should deliver, where it should support, and where governance remains with your organisation by design.
|
Objective |
Focus area |
MSSP coverage potential |
What this means |
|
A – Govern |
Risk management, threat understanding, supply chain, assurance |
40–45% |
Governance is your responsibility, MSSP supports threat intelligence and assurance. |
|
B – Protect |
IAM, privileged access, vulnerability management, data protection |
45–55% |
Shared responsibility. MSSP strengthens; you own the architecture decisions. |
|
C – Detect |
Security monitoring, threat hunting, alerting, UEBA, threat intel |
95–100% |
Near-complete delivery. This should be the core of the MSSP offering. |
|
D – Respond |
Incident response, testing & exercising, post-incident analysis |
80–85% |
The MSSP should be the primary delivery mechanism, not just offer support. |
In total, Talanos directly delivers approximately 60–65% of CAF v4 controls. Critically, we cover the controls that are hardest to build internally, most expensive to staff, and most likely to be scrutinised by regulators and assessors.
Recommended actions and next steps
Whether your organisation is preparing for a formal CAF assessment, responding to regulatory pressure, or simply trying to understand where its gaps are, here are the practical steps to take:
- Map your current state against v4. Don't assume your v3.2 assessment translates directly. The restructuring means some of your existing evidence may need to be re-categorised or supplemented.
- Identify your target maturity and make a plan. Once you know your current state you can identify the gaps you have and assess what your target maturity should be. Then you need to build a plan that includes the steps you need to take over the next 12 months in order to get there – including quick wins and longer-term initiatives.
- Decide what to outsource. Not every control needs to be built in-house. Understanding which CAF controls can be credibly and compliantly delivered through a managed security partner is a strategic decision worth making early. For example, threat intelligence is a new, standalone requirement. If you can't point to an active, sector-relevant threat intelligence function, this is a likely gap that an MSSP can fill. Similarly, objectives concerning detection and response maturity are where most organisations will be assessed most critically - and where external managed services can close gaps quickly.
How we can help
Talanos provides a direct mapping of its services against CAF v4 controls, so you can see precisely where we deliver for your organisation and where responsibilities remain yours.
We use this as a working tool in our conversations with clients as a genuine compliance aid.
If you're facing CAF compliance pressure and want to understand your coverage position clearly and honestly, we'd welcome the conversation.
For more information on Talanos’s tiered Managed Security Operations services, visit us here.
You can read the full CAF v4 framework on the NCSC website here.
