Threads / Cyber Assessment Framework (CAF) – NCSC Guidance Collection
Guidance Published 4 Aug 2025 Department for Energy Security and Net Zero Department for Science, Innovation and Technology Information Commissioner's Office National Cyber Security Centre Ofgem Regulatory Policy Committee ↗ View on GOV.UK

Cyber Assessment Framework (CAF) – NCSC Guidance Collection

The NCSC's primary sector-specific cyber resilience guidance framework, explicitly designed for organisations operating essential services in energy, healthcare, transport, digital infrastructure and government. It provides sector-specific profiles (Basic and Enhanced) and is directly cited in the Cyber Security and Resilience Bill policy statement as the tool supporting NIS-regulated operators; v4.0 was published August 2025.

▤ Verbatim text from source document

Cyber Assessment Framework | National Cyber Security Centre

icons/chevron/16px/black

Skip to main content

Guidance

Cyber Assessment Framework

The CAF is a collection of cyber security guidance for organisations that play a vital role in the day-to-day life of the UK, with a focus on essential functions.

Pages

Page 1 of 25

iStock.com/ThinkNeo

Cyber Security and Resilience Bill to strengthen regulation of critical sectors

The NCSC welcomes the introduction of the Cyber Security and Resilience Bill to Parliament and its potential in closing the widening gap between the cyber threats the UK faces and our ability to defend against them in critical sectors.

Read the blog

by Jonathan Ellison, NCSC Director of National Resilience exploring how the Cyber Security and Resilience Bill will support affected sectors.

Learn more

On this page:

Introduction

What is the CAF?

Who is the CAF for?

The CAF collection

Changelog, latest and previous CAF versions

Introduction

Cyber incidents can result in a number of different consequences, depending on the nature of the network and information systems targeted and intention of the perpetrators. Circumstances in which the possible consequences of cyber incidents are extremely serious or even, perhaps catastrophic, generally require very robust levels of cyber security and resilience. It is for these circumstances that the NCSC has developed the Cyber Assessment Framework (CAF) collection.

The CAF collection consists of the CAF itself together with a range of linked guidance and some background on its intended use. It is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience in relation to certain specified vitally important functions performed by that organisation, functions that are at risk of disruption as a result of a serious cyber incident.

What is the CAF?

The Cyber Assessment Framework (CAF) is a tool to help organisations assess and improve their cyber security and resilience, managing cyber risks and protecting essential services from cyber threats.

Who is the CAF for?

The CAF is primarily designed for organisations operating essential services, in sectors such as energy, healthcare, transport, digital infrastructure and government. It supports both internal assessments and external oversight bodies, helping organisations meet legal and regulatory requirements like the NIS Regulations. It does this by providing a framework for assessing how well an organisation is meeting expected cyber security and resilience outcomes described within a CAF Profile.

A CAF Profile is a target level for cyber security and resilience in response to threat actors with a particular level of attack capability. There are two types of CAF Profiles, Basic and Enhanced. The Basic Profile sets out the target level for all sectors when faced with attackers with a basic level of attack capability. This typically includes attack scenarios that would involve common cyber attacks. An Enhanced Profile is different as it is sector specific and builds upon the Basic Profile by representing a cyber security and resilience target level appropriate for situations where an organisation typically faces attackers that are more capable, better resourced and can undertake more sophisticated attacks.

The CAF collection

The CAF collection is for all organisations that are responsible for securing critical network and information systems that keep our businesses, citizens and public services protected.

More particularly:

Organisations subject to the

Network and Information (NIS) Regulations

Organisations within the UK Critical National Infrastructure (CNI)

Organisations managing cyber-related risks to public safety

Public sector organisations that support core government functions

Other organisations / sectors that may find the CAF a useful tool

It is intended that the CAF collection will be of particular interest to cyber oversight bodies, organisations (such as cyber regulators) that have responsibility for the cyber security and resilience of a sector. The CAF collection is intended to assist such organisations to carry out some of their core oversight responsibilities. Any oversight body considering the use of the CAF in their sector is invited to contact the NCSC to discuss possible additional available support through the

Support to Regulation

mailbox.

This collection contains:

An overview and introduction of the CAF collection

An introduction to the CAF including guidance on the use of the CAF

The wider context of the CAF when considering the Network and Information Systems (NIS) Regulations, CNI, how the NCSC works with cyber regulators and GovAssure

The CAF – a set of objectives and underlying principles, outcomes and indicators of good practice (IGPs)

Relevant guidance on the application of the objectives and principles

Additional linked guidance and references

Changelog, latest and previous CAF versions

The latest version of the CAF, and all previous versions are

available to download on the Changelog page

.

Links to guidance that complement the CAF have been included and can be found in the

consolidated view of CAF guidance

and in the additional information section of the individual principles.

Downloads

Pdf

615.02 KB

Cyber Assessment Framework version 4.0

Fourth iteration of the Framework used to assess the cyber security of UK CNI and related sectors

Published

Publish date

18 April 2024

Reviewed

6 August 2025

Version

4.0

Written for

Written for

Public sector

Cyber security professionals

Large organisations

Share and print this article

Share

Share

Close share options

Share on

Facebook

Share on

LinkedIn

Share on

X

Copy Link

Was this article helpful?

Yes

the article was helpful

No

the article was not helpful

Close Feedback Form

Back to top

Share

Close share options

Share on

Facebook

Share on

LinkedIn

Share on

X

Copy Link

Also see

Blog Post

Publish date

6 Aug 2025

Cyber Assessment Framework v4.0 released in response to growing threat

Updates to the CAF helps providers of essential services to better manage their cyber risks.

Blog Post

Publish date

30 Oct 2024

Cyber Resilience Audit (CRA) scheme launches for assured CAF-based audits

NCSC-assured CRA service now offering Cyber Assessment Framework based audits and more applications invited from potential service providers.

Blog Post

Publish date

15 Aug 2024

Cyber Resilience Audit scheme open to applications

A new NCSC scheme assuring providers of CAF-based audits is now open for potential members.