The introduction of the Cyber Assessment Framework (CAF)v4.0 by the National Cyber Security Centre (NCSC) last August has fundamentally changed the way we need to look at the cyber world. It changes how public sector bodies need to think about cyber resilience. It moves the paradigm:
CAF v4.0 is not just another pile of red tape waiting to be obeyed and the NCSC is not just a think tank with grandiose philosophical ideas. The framework is the best of current thinking from the pick of current experts in the field of cybersecurity. CAF 4.0 transforms compliance conversations into the strategic resilience actions that the NCSC and UK government policy signal as the way ahead for the coming decade.
In short, CAF is no longer just an assessment framework. it is becoming the operating system for UK public‑sector resilience.
CAF’s structure hasn’t changed. It still centres on 4 objectives and 14 principles.
In v4.0, however, the substance within those objectives has transformed to:
CAF v4.0 requires organisations to explicitly consider an attacker perspective that models likely adversaries, their capabilities, and their known tactics and techniques. This moves the framework from generic risk awareness to threat‑specific defence.
For the first time, CAF includes guidance on:
As AI becomes integral to defence and operations, CAF embeds resilience into both the models and the data ecosystems powering them.
CAF v4.0 strengthens expectations across the entire secure software development lifecycle (SDLC). Regardless of whether software is built in‑house or delivered by third parties, supply chain scrutiny is now central, not optional.
Monitoring has evolved from logging and responding to events to active hunting.
Organisations must demonstrate capability in:
The four objectives, laid out in CAF 4.0, are designed to help organizations to assess and improve their cyber resilience against a range of threats, rather than just acting as a "tick-box" compliance exercise.
Objective A — Managing security risk
CAF v4.0 reinforces governance and risk accountability, including:
Objective B — Protecting against cyber attack
Strengthened expectations include:
Objective C — Detecting cyber security events
This is where v4.0 makes its biggest leap to:
Objective D — Minimising impact
CAF also reinforces the importance of:
CAF 4.0 connects operational resilience, cyber security and business continuity into a single leadership responsibility model.
Local Government: Moving to a modern, consistent approach
Local authorities are being moved away from manual, spreadsheet‑based CAF assessments to platforms that:
For councils that historically struggled with fragmented approaches and/or limited cyber capacity, CAF v4.0creates a clearer pathway forward.
NHS & Healthcare: CAF becomes a formal requirement
The NHS is tightening expectations from the Data Security and Protection Toolkit (DSPT), with larger organisations already aligning to CAF v4.
For a sector with life‑critical systems, this raises the bar from “cyber hygiene” to measurable operational resilience.
Critical National Infrastructure (CNI): From guidance to obligation
The upcoming Cyber Security &Resilience Bill is set to change CAF from something organisations should follow to something they must follow.
Under this legislation:
In short: 2026 is the year CAF transitions from an advisory framework to a mandatory expectation across critical services and wider public‑sector bodies.
Methods has supported UK public‑sector organisations in designing and delivering resilience aligned to NCSC priorities for many years now. Our work spans:
In short, Methods acts as a “translation layer” between national priorities and actionable organisational plans.
Methods will be on hand at CyberUK2026 to host senior discussions on:
We look forward to exploring this with you at CyberUK2026, Stand F29.