CAF 4.0 is here
what does that mean for my organisation?
The UK’s National Cyber Security Centre (NCSC) launched version 4.0 of the Cyber Assessment Framework (CAF) in August. This is a major update over the previous version 3.2, which was issued in April 2024. We won’t go into the background of the CAF here – that was covered in a previous blog post. Nor will we explain the reasons for the update, as that’s been covered in the NCSC’s blog post. Instead, we’ll take a look at the changes to show the main areas of difference so that you will understand where to focus when updating your CAF assessment process to the new version.
The diagram above shows the relative number of changes compared with the time between releases of the CAF, from 3.1 to 3.2, and on to 4.0.
NCSC publish a full change log describing the differences between the two versions on their website down to the level of the Indicators of Good Practice (IGPs). This is 53 pages long, and the only way to discern the significance of a change is to read it. It does not highlight whether an IGP has been moved to another Contributing Outcome (CO) or had a minor typo fixed.
At a summary level, the changes are:
- Three new COs, one deleted CO, and six renamed COs.
- 107 new IGPs, and two deleted.
- 170 reworded IGPs (of which 62 are significant changes
- 84 relocated IGPs (of which 43 move to different COs)
- Two split IGPs (i.e., the text has been split to create two IGPs)
- Two merged IGPs (both merging a partially achieved and achieved IGP that had the same wording
If you are moving from CAF 3.2 to CAF 4.0, you will want to know which areas are going to need most focus, especially if you have systems that have previously been assessed using CAF 3.2 (or earlier) and you intend to use those assessments as a starting point.
NB: The IGPs are not numbered within the CAF, although they are given numbers in the changelog. In the latter document, the IGPs have a suffix of A/PA/NA for the achievement level, followed by a reference number. These numbers are allocated sequentially for each IGP and achievement level.
Achievement-level changes
The achievement levels have not been changed since CAF 3.2. There are only three IGPs which have changed achievement level, both of which have moved from ‘Achieved’ to ‘Partially achieved’:
- In B4.b, the sixth ‘achieved’ IGP moves to ‘partially achieved’.
- In C1.b, the seventh ‘achieved’ IGP moves to ‘partially achieved’.
- In C2.a, the second ‘achieved’ IGP moves to ‘partially achieved’ within C1.f.
Structural change
The most obvious change to the CAF is that it now has 41 Contributing Outcomes, up from 39 in v3.2. Both have been added to Objective A (“Managing Security Risk”), and cover Understanding Threat (A2.b) and Secure Software Development and Support (A4.b). Those of you who are familiar with the CAF might notice that Assurance used to be A2.b; don’t worry – it’s now A2.c, and is otherwise unchanged.
In Objective B there are no changes at the CO level.
Objective C (“Detecting cybersecurity events”) is the area of most change. Principle C1 (“Security monitoring”) has been rearranged and expanded with an extra CO, whilst Principle C2 (“Threat hunting”) has been reduced to a single, clearer CO.
ithin C1, many IGPs have been moved – for example, the Generating alerts (C1.c) has been augmented with content from the former Monitoring coverage (C1.a) and Identifying security incidents (C1.d). A new CO, Understanding User’s and System’s Behaviour (C1.f) takes the remaining IGPs from C1.d.
By comparison, Objective D is a model of simplicity. The only change at CO level is that Incident Root Cause Analysis (D2.a) has been renamed Post-Incident Analysis.
Diving into the detail
We analysed the changed to IGP wording, and found that they fit into three categories:
- Significant changes: this is where the assessment against the IGP should be reviewed in light of the change, as compliance with the previous wording might no longer apply with the new wording, even if the change is a single word. There are 62 of these IGPs.
- Clarifications: many of the IGPs in CAF 3.2 referred to the ‘essential function’. These have been updated to now specify ‘network and information systems supporting your essential function’, which is more accurate. These changes are unlikely to change your assessment against the IGP. There are 86 IGPs in this category.
- Amendments: minor changes which do not affect the meaning of the IGP. For example, IGPs in CAF 3.2 variously referred to ‘the essential function’ and ‘your essential function’. All of these now use the latter phrasing. These changes affect 32 IGPs.
If you have previously assessed a system using CAF 3.2 and found that it meets any of the IGPs with a significant change, you will need to review these again as part of the transition to CAF 4.0. You can safely ignore the other types of change.
The table above shows the three types of changes within Objective D. The open squares (in the green ‘achieved’ IGPs for D2.a and D2.b) are minor changes; the half-filled squares (both in D1.a) are the clarifications, and the four solid squares (in D2.a and D2.b) are significant changes.
The distribution of the significant changes is as follows:
The vast majority of the IGP moves occur in Objective C, as can be seen in the diagram below. Don’t worry – you’re not supposed to be able to make sense of this!
This is a consequence of the number of changed COs, as described in the previous section and which can be seen by the names in red down the right-hand side of the diagram.
Objective A has two IGPs that move between COs; the remainder of the changes are IGPs being renumbered within the same CO, and so have no effect on meeting your chosen CAF profile. In Objective B, two IGPs are split, and in one case this results in the rest of the class of IGPs shuffling along by one, and thus looking like a change but having no actual effect. No IGPs move within Objective D.
In summary
There are a lot of changes in the move from CAF 3.2 to CAF 4.0, but many of them will not affect your completion of the CAF. Objective C is where the majority of the work will be required, given that this has 73% of the significant changes to IGP wording, and 80% of the IGPs moving between COs. If you are completing a new CAF return, based on a previous version that used CAF 3.2, you should plan to have more cybersecurity monitoring staff involved in the exercise than, for example, architects, given the relative amounts of change in Objectives C and B.
Need help? Get in touch
If you need expert advice and practical help with CAF, we have a lot of experience (see our other blog posts). Please fill in the ‘contact us’ form on the site and we will be in touch ASAP!
