NEWSLETTER

Nothing Stands Still: Navigating the CAF 4.0 Transition for Local Government

Steve Macmillan

The Ministry of Housing, Communities and Local Government (MHCLG) recently announced that for 2026 they will be focusing on evolving the Cyber Assessment Framework (CAF) for Local Government user journey, making it easier and quicker to complete CAF assessments. This includes introducing a secure user-friendly web application to replace the existing self-assessment spreadsheets and submission tool.

In the same announcement they also confirm they will be transitioning from CAF version 3.2 to version 4.0. Version 4.0 was released by National Cyber Security Centre (NCSC) in August 2025 and includes updates that reflect the evolving cyber threat landscape.

Four key areas of change are: 

  • A new section on building a deeper understanding of attacker methods and motivations to inform better cyber risk decisions.
  • A new section on ensuring software used in essential services is developed and maintained securely.
  • Updates to the section on security monitoring and threat hunting to improve the detection of cyber threats.
  • Improved coverage of AI-related cyber risks throughout the CAF.

NCSC are already looking ahead to future iterations of the CAF, ensuring that it keeps pace with the regulatory proposals within the new Cyber Security and Resilience Bill, so one should expect further framework changes in the future once the bill concludes its parliamentary journey.

Click here to see how Policy Management as a Service helps councils align their policies with the Cyber Assessment Framework.

What Does This Mean For Council Organisations?

In the short-term, CAF version 3.2 remains current; as CAF version 4.0 is based on the same principles as 3.2 the transition will be based on the work councils have already done.

The CAF record of changes document published by NCSC comprises of 53 pages so at some point in the transition from the old to new it will be necessary to bring stakeholders together to work through this material and align internal cyber and information security programmes.

There will also be a requirement to review and update existing policies and procedures to ensure they align with the new and adjusted principles, contributing outcomes and indicators of good practice.

How We Help

At Protocol Policy Systems, we make the CAF alignment process easier for councils. Our Policy Management as a Service offering provides IT policy content mapped directly to contributing outcomes of the four CAF objectives – helping you gather evidence in compliance with your IT policy content that is mapped to CAF statements.

Ongoing assistance with existing and new policy and standards content is a key part of our service. This means customers can be assured their policies will continue to be fit for purpose even though nothing stands still.

In the case of the CAF transition we provide an online option to very quickly and efficiently determine:

  • How changes between versions of the framework impact existing polices.
  • Any policy content that requires review, along with revised wording choices.
  • New additional policy statement content that may be required

Click here to view our video on PMaaS support for the CAF for Local Government.

< IT Policy as a Strategic Enabler: Lifecycle Management, Accountability, and Future-Proofing

The People, Process, Technology Combination >

PROTOCOL POLICY SYSTEMS

Contact Us Today

Fill in the form or call us on (UK) +44 845 241 0099 or (NZ) +64 9 570 2233