National Cyber Security Centre - Cyber Assessment Framework (CAF)
Disclaimer: Organizations are not required by law to comply with this document unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence.
The NCSC is the United Kingdom's (UK) national technical authority for information assurance providing advice and guidance on cybersecurity. In alignment with the UK Government's National Cyber Strategy 2022, CAF 4.0 (updated in August 2025) consists of a set of cyber security & resilience principles, together with guidance on using and applying the principles. The Cyber Assessment Framework (CAF), as defined by the National Cyber Security Centre (NCSC), aims to improve the security of network and information systems across the UK, with a particular focus on essential functions which, if compromised, could potentially cause significant damage to the economy, society, the environment, and individuals’ welfare, including loss of life. The cybersecurity landscape had historically been governed in the form of the Good Practice Guide 13 (GPG 13), which provided a very specific framework by which entities could be secured; however, it is now deprecated. The NCSC seeks to be a single refuge for cybersecurity guidance and support providing resources that will help entities achieve security in their environments based upon that specific business. The CAF is the more flexible answer to what was once a very prescriptive set of controls. The NCSC module is based upon the four (4) CAF objectives and fourteen (14) principles. LogRhythm has aligned a set of rules, alarms, reports, and investigations that will assist our customers with controls they likely will have in place based on those principles.
CAF Objectives and Principles
Objective A: Managing Security Risk
A.1 Governance
Putting in place the policies and processes which govern your organization's approach to the security of network and information systems.
A.2 Risk Management
Identification, assessment and understanding of security risks. And the establishment of an overall organizational approach to risk management.
A.3 Asset Management
Determining and understanding all systems and/or services required to maintain or support essential functions.
A.4 Supply Chain
Understanding and managing the security risks to networks and information systems which arise from dependencies on external suppliers.
Objective B: Protecting Against Cyber Attack
B.1 Service Protection Policies, Processes, and Procedures
Defining and communicating appropriate organizational policies and processes to secure systems and data that support the operation of essential functions.
B.2 Identity and Access Control
Understanding, documenting and controlling access to networks and information systems supporting essential functions.
B.3 Data Security
Protecting stored or electronically transmitted data from actions that may cause an adverse impact on essential functions.
B.4 System Security
Protecting critical network and information systems and technology from cyber attack.
B.5 Resilient Networks and Systems
Building resilience against cyber attack.
B.6 Staff Awareness and Training
Appropriately supporting staff to ensure they make a positive contribution to the cyber security of essential functions.
Objective C: Detecting Cybersecurity Events
C.1 Security Monitoring
Monitoring the security status of network and information systems supporting the operation of essential functions.
C.2 Threat Hunting
Seeking to detect adverse activity affecting the operation of essential functions.
Objective D: Minimizing the Impact of Cybersecurity Incidents
D.1 Response and Recovery Planning
Putting suitable incident management and mitigation processes in place.
D.2 Lessons Learned
Learning from incidents and implementing these lessons to improve the resilience of essential functions.
The LogRhythm platform enables your organization to meet many NCSC CAF guidelines by collecting, managing, and analyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality also help your organization satisfy certain IT security elements outlined by NCSC CAF.
LogRhythm understands that organizations may be at different points of compliance maturity; the NCSC CAF module is intended to assist organizations in implementing the appropriate level of security controls for their organization whether they're just starting to evaluate CAF for their cybersecurity needs or have been using it for years. LogRhythm supports many of the NCSC CAF objectives and decreases the cost of meeting others through pre-built content and functionality. Using advanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content like MITRE ATT&CK, and Case Management may enhance pre-built content to better support an organization's compliance efforts.
IT environments consist of heterogeneous devices, systems, and applications, all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. The NCSC CAF module and associated reporting package work out of the box with some level of customization available. Utilizing the NCSC CAF module assists in building and maintaining a sound compliance program.
CAF 3.2 to 4.0 Migration Guide
This section provides guidance on how to migrate the LogRhythm CAF 3.2 Knowledge Base module to be CAF 4.0 ready. The NCSC User Guide should be completed, and it’s expected that you should already have a LogRhythm environment configured for CAF 3.2 in order to be prepared to migrate the module to CAF 4.0.
The CAF 4.0 framework was released in August 2025.
CAF 4.0 Migration at a Glance
Take the following steps to ensure you are ready for CAF 4.0:
Ensure the LogRhythm Knowledge base is updated to the latest version with the NCSC Knowledge Base items installed (NCSC User Guide).
Select the corresponding AI Engine Rules, Investigations, Reports and Reporting Packages from the tables below on their respective pages to clone the designated compliance rules with the appropriate NCSC CAF 4.0 mappings applied.
Create playbooks from the list of recommended playbooks below to ensure you can meet newer requirements added to CAF 4.0.
Notable Changes in CAF 4.0
A2.b – Understanding Threat (new)
A4.b – Secure Software Development & Support (new)
C1.f – Behavior & Threat Intelligence Integration (new)
C2.b – Threat Hunting (rewritten & expanded)
D1 – Response & Recovery (strengthened)
AI risk expectations (embedded across outcomes)
Multiple clarified controls with removal of overlapping controls from CAF 3.2
Playbooks are much more important
When preparing to migrate to CAF 4.0 configurations, the primary focus is on playbooks, due to the new auditor requirements to show proof of validation via demonstrations, not just reporting. The Knowledge Base items from the NCSC User Guide can be cloned with new mappings shown in the AI Engine Rules, Investigations, and Reports/Reporting Packages tables to support CAF 4.0.
Recommended Playbooks
Since playbooks are the major focus in meeting CAF 4.0 requirements, below is a table representing which controls will benefit from what types of playbooks the most.
Revised Requirement | Required Playbook(s) |
A2.b Understanding Threat | Threat modelling & TI ingestion playbook |
A4.b Secure SDLC | CI/CD monitoring, supply‑chain integrity, code repo anomaly playbooks |
C1.f Behavior + TI | UEBA behavior baselining, anomaly triage, TI-integrated monitoring |
C2.b Threat Hunting | Structured TTP hunt playbook, documented hunting lifecycle |
D1 Response & Recovery | IR & recovery workflows including suppliers; tabletop exercises |
AI‑related risks | AI anomaly detection & investigation playbook |
NCSC CAF Module Cloning Guidance
Ensure the LogRhythm Knowledge Base is enabled, and the NCSC CAF module is enabled. Once up to date, updating the LogRhythm NCSC CAF rules to support CAF 4.0 can be done by identifying the Knowledge Base items listed in the AI Engine Rules, Investigations, and Reports/Reporting Packages tables that are relevant to your organization to apply the new mappings indicated.
This document is divided into the following sections: