Aug 2025
CAF 4.0 Summer 2025 release – what’s new?
As part of the National Cyber Security Centre’s (NCSC) commitment to regularly reviewing the CAF every 12-24 months, addressing updated and new security controls in line with the shifting threat landscape, the latest major revision (version 4.0) was released on Wednesday, August 6 2025.
Associate Director - Cyber
Our specialists have been briefed on the major changes, and we expect these to be integrated into a range of regulatory audits from 2026 onwards.
There are four major changes in the latest CAF update; read below or hear from our expert here.
- Understand the threat landscape
There is greater emphasis on threat analysis activities, with a new contributing outcome titled ‘Understanding Threat’, placing a greater emphasis on threat intelligence and threat modelling.
The new control places an obligation on organisations to not only proactively evaluate their threat landscape but also feed the results into their risk management approach to ensure cyber resilience plans are based on a true understanding of the threats that your organisation may encounter.
- A focus on secure software development lifecycle
A new contributing outcome titled ‘Secure Software Development and Support’ has been added, focused on securing the software development lifecycle both for internally developed, and externally procured, software.
The control requires organisations that develop software internally to ensure security is embedded throughout the development process, including controls such as testing prior to deployment, and appropriately securing source code repositories. Organisations that do not develop software must obtain assurance that their suppliers have implemented appropriate security controls for their software development process.
This update aligns the CAF with best practice found in industry recognised frameworks such as ISO 27001 and NIST CSF 2.0, and reflects the increase in the number of exploitations via software vulnerabilities in recent years that have led to significant cyberattacks; particularly where those vulnerabilities are exposed on public facing networks.
- Additional requirements across threat hunting
To emphasise the importance of effective security monitoring, a new contributing outcome titled ‘Understanding User's and System's Behaviour, and Threat Intelligence (within Security Monitoring)’ has been added. This new control requires organisations to both effectively utilise and integrate threat intelligence within security monitoring activities and ensure that normal user behaviour is sufficiently understood to enable the easy identification of anomalous activity.
- Artificial Intelligence (AI) considerations
While CAF 4.0 does not include a dedicated control on AI, references have been added in previously existing controls. Within ‘Secure by Design’, a new requirement has been added for organisations to ensure appropriate controls and governance is in place where automated decision-making technologies are used, and ‘Risk Management’ requires organisations to anticipate and consider the risks posed by technological developments such as AI.
Additional minor updates include definition updates to the ‘Indicators of Good Practice’.
Full information on the CAF update can be found on the NCSC website here.
Getting support to adopt CAF
Waterstons is an NCSC assured consultancy, and we regularly provide support to regulated industries to design, implement and test security controls, and align with best practices outlined within the CAF.
Several of the team hold a Chartership in Cyber Audit and Assurance, and we ensure that we always adopt a pragmatic and value-focussed approach to all our audit engagements.
If you’d like to discuss your CAF requirements with the team, please reach out: cyber@waterstons.com