As cyber attackers increasingly exploit remote connections and supply chain gaps, the UK’s Cyber Assessment Framework (CAF) 4.0 is setting a new standard for cybersecurity resilience.
Released by the National Cyber Security Centre (NCSC) on August 6, 2025, CAF 4.0 significantly strengthens requirements for remote access, identity, and supply chain controls. Because these changes will impact how regulators assess cyber readiness moving forward, now is the time for leaders in IT, operations, and compliance across the UK’s critical sectors to ensure their access and security policies meet the latest standards.
In this blog we'll explore how CAF has changed, how it impacts your industry, and actionable steps to align with CAF 4.0 — starting with remote access.
CAF 4.0 is the baseline for cybersecurity assessments in the UK starting in 2025, with specific compliance requirements varying by sector. For instance, the energy industry may emphasize OT system isolation, while the healthcare sector might prioritize data protection.
The Cyber Security and Resilience Bill, expected in late 2025, extends NIS Regulations to new sectors like cloud providers, managed service providers (MSPs), and data center operators, requiring them to adopt CAF 4.0’s remote access and supply chain controls. Organizations must consult their sector regulator (for instance, Ofgem or Ofwat) for timelines, as enforcement is expected to increase in 2026. Proactive compliance adherence demonstrates readiness and builds trust with regulators and stakeholders.
CAF 4.0 covers far more than just secure remote access; the update also tightens requirements for secure software lifecycle management, enhanced threat detection, and AI-related cyber risks.
So, why tackle secure remote access first? Prioritizing a remote access strategy that meets CAF 4.0 guidance makes it easier to extend access governance to on-prem and cloud workloads, to layer in monitoring, alerting, and incident response tooling, and to achieve deeper compliance with later-phase CAF principles like data protection, business continuity, and user training.
Organizations can use NCSC’s CAF 4.0 resources to develop a roadmap for reaching full compliance.
Control Area |
CAF 3.2 (Before) |
CAF 4.0 (After) |
---|---|---|
MFA for Remote Access |
Required for privileged users and high-risk access. Standard user MFA was recommended but often risk-based. |
MFA is strongly mandated for all users accessing systems supporting essential functions, with organizations expected to justify any deviations based on risk assessments. |
Privileged Access Workstations (PAWs) |
Recommended but flexible. Use of secure admin workstations encouraged but not mandated for all sectors. |
Privileged actions should be performed on corporately owned, managed, and hardened devices, with robust controls required for alternative devices. |
Internet Isolation for Essential Systems |
Network segregation was advised; internet exposure allowed with compensating controls in some sectors. |
Direct internet access to essential function systems must be minimized, with network segmentation and strict controls required to limit exposure. |
Use of Shared or Generic Accounts |
Shared accounts discouraged but could be tolerated with compensating controls (e.g., enhanced logging). |
All remote access should use named, individual user accounts with full traceability, with organizations justifying any exceptions. |
Remote Third-Party Access Control |
Sector-specific practices varied. Suppliers’ remote access security often left to contractual agreements. |
Third parties must follow the same access control standards as internal users, enforced via contracts. |
In most organizations, remote access isn’t granted only to internal staff. External, third-party vendors and contractors also connect remotely in order to perform equipment maintenance and other crucial tasks. In fact, recent research from Cyolo shows that manufacturers are much more likely to enable remote access to OT environments for third-party vendors (88%) than internal employees (54%).
The convenience of remote access is clear, but allowing third parties – who typically are not bound by company security policies and may be unfamiliar with security best practices – to connect remotely without the proper controls in place can expose organizations to serious risk.
Recognizing this risk, CAF 4.0 requires active management of dependencies on third-party vendors and service providers. This principle is reinforced by the upcoming Cyber Security and Resilience Bill, which will mandate supply chain security for critical sectors.
Key expectations:
Critical suppliers (IT service providers, OT maintenance vendors, software suppliers, etc.) must adhere to the same identity, device, and remote access controls as internal staff.
Organizations must maintain a clear inventory of suppliers with access to systems supporting essential functions.
Contractual clauses must enforce security requirements, including multifactor authentication (MFA), corporate-managed devices, and incident reporting obligations, as emphasized by the Cyber Security and Resilience Bill. Zero-trust platforms can streamline secure third-party access with features like identity-based authentication and vendor session monitoring.
Supply chain risks must be assessed continuously, and vetting a supplier once at the start of the relationship is no longer enough.
So, what does this all mean in practice? To meet CAF 4.0 obligations, organizations will need to update supplier agreements, implement new onboarding procedures, and regularly reassess who is allowed remote access to critical environments.
Conduct a Remote Access Audit: Identify all access points, including VPNs, RDP, and third-party portals. Document user roles, devices, and authentication methods.
Deploy MFA Solutions: Implement MFA to ensure compatibility with both IT and OT systems.
Procure Hardened Devices: Source corporately managed devices (for example, hardened laptops with trusted platform modules) for privileged access. Refer to NCSC’s device security guidance for configuration standards.
Phase Out Shared Accounts: Transition to named accounts using identity management platforms. Implement logging to ensure traceability, as per NCSC’s logging guidance.
Update Supplier Contracts: Include CAF 4.0-compliant clauses in vendor agreements, specifying MFA, device standards, and incident reporting. Use NCSC’s supply chain security toolkit for contract templates.
Address Legacy System Challenges: Recognize that legacy systems may lack modern security features like MFA support or network segmentation. Use Zero Trust platforms and advanced secure remote access solutions like Cyolo PRO (Privileged Remote Operations) to overlay security controls, conduct phased upgrades, or implement compensating controls to align with CAF 4.0.
Engage Regulators Early: Contact sector regulators for CAF 4.0 assessment criteria and timelines. Join NCSC’s Early Warning service for real-time threat updates.
Cyolo PRO (Privileged Remote Operations), a remote privileged access solution built to meet the unique needs of OT environments, helps organizations streamline CAF 4.0 compliance.
Cyolo PRO enables identity-based access and MFA for both modern and legacy systems, as well as zero-trust connectivity and privileged access controls for third parties and other high-risk users. With Cyolo PRO, organizations can ensure safe, secure, and seamless access to critical assets, in alignment with CAF 4.0 and other security regulations.
In contrast to legacy secure remote access (SRA) solutions like VPNs and jump servers, which offer minimal post-access visibility, Cyolo PRO provides full control for the duration of each connection, including third-party connections. Key controls include supervised access, session recording, restrictions on potentially risky actions like copy/paste, and the ability to disconnect a user in real-time if suspicious behavior is detected.
With these essential controls, plus a fast and easy deployment model that does not require network changes or downtime, Cyolo PRO helps organizations operating essential services to achieve and maintain CAF 4.0 compliance – all without undergoing a complex, costly, and risky infrastructure overhaul.
NCSC CAF 4.0 Guidance: www.ncsc.gov.uk/collection/caf
Supply Chain Security Toolkit: www.ncsc.gov.uk/collection/supply-chain-security
Cyber Essentials for Basic Controls: www.ncsc.gov.uk/cyberessentials
NCSC Early Warning Service: www.ncsc.gov.uk/service/early-warning
Cyolo website: www.cyolo.io