Blog
Compliance
ISO 27001
Cyber Essentials
NHS DSPT
May 4, 2026
Approx 10 min read

NCSC CAF for public sector suppliers: passing the assessment in 2026

A central government tender lands on your desk. The cyber requirement section names the NCSC Cyber Assessment Framework. The deadline is short, the buyer wants a self-assessment against a profile, and the contract owner needs the evidence pack signed off before commercial terms are even discussed. Public sector revenue is on the table and the procurement gate is the only thing standing between forecast and contract.

This is the buyer moment that NCSC CAF triggers most often for technology suppliers in 2026. It is distinct from the NHS DSPT route, which uses a CAF-aligned overlay specific to health and care providers and their suppliers (covered in the DSPT to CAF guide). This piece is for suppliers facing CAF in central government, in critical national infrastructure, in the NHS as a supplier to an OES-designated provider, or as a candidate Operator of Essential Services in their own right.

The framework is now on v4.0, though suppliers to the NHS and MOD should note their current toolkits (DSPT v8 / CSMv4) are explicitly mapped to CAF v3.4 outcomes.

The CAF requirement on your tender, decoded

A public sector tender will phrase the CAF requirement in one of four ways.

The buyer asks for a CAF self-assessment against a named profile. This is the most common phrasing in central government direct contracts. The profile is set by the department in consultation with NCSC and the Government Security Group, and the supplier returns a scored evidence pack.

The buyer asks for "alignment to CAF principles" with a specific list of principles called out. This is the lighter-touch version, often used in arm's length bodies or local government. The supplier demonstrates the listed principles through evidence references, not full indicators of good practice (IGP)-table scoring.

The buyer specifies CAF-aligned evidence as part of a wider supplier security pack. This is common in framework awards on Crown Commercial Service and in NHS Shared Business Services. Cyber Essentials is the gateway and CAF sits above it.

For OES applications under the NIS Regulations, the competent authority commissions independent assessment directly. The supplier does not choose the assessment route; the regulator does.

Each phrasing carries a different evidence threshold and a different submission route. Reading the cyber clause carefully on the day the tender lands sets the timetable for everything that follows.

Inside the framework: four objectives, fourteen principles, 39 outcomes

The Cyber Assessment Framework is published as four objectives. Objective A covers managing security risk. Objective B covers protecting against cyber attack. Objective C covers detecting cyber security events. Objective D covers minimising the impact of incidents.

Beneath the objectives sit fourteen principles, each one a single-sentence outcome statement. Beneath the principles sit 39 contributing outcomes, and each contributing outcome carries its own table of IGPs. The IGP table is read as a rubric. The supplier scores each contributing outcome as Achieved, Partially Achieved, or Not Achieved, supported by evidence.

CAF assesses outcomes in operational practice. The assessor reads the IGP table as a rubric and asks whether evidence drawn from how the organisation actually runs supports the outcome. A documented policy that nobody references in incident handling will score Partially Achieved on the contributing outcome that requires response procedures to work under pressure.

For a tech supplier, the practical breakdown looks like this. Objective A is policy, governance, the risk register and supply-chain controls, mostly documentary. Objective B carries the largest single evidence haul: identity and access, data, system hardening, network segmentation, training. SMEs without a SIEM or external SOC tend to score lowest on Objective C, security monitoring and detection. Objective D, response and recovery, is often under-evidenced because the plan exists on paper, but has never been tested.

CAF v4.0 added more than 100 new IGPs on top of the v3.2 baseline. The biggest changes affect secure software development, AI-related cyber risk, and security monitoring. Suppliers shipping AI-enabled functionality into a public sector buyer should expect questions on AI risk governance that did not appear in earlier assessments.

Profile vs profile: GovAssure Baseline, Enhanced, and what CNI suppliers face

Profiles set the bar. The same contributing outcome can be required at one IGP level for a Baseline submission and a higher IGP level for an Enhanced one.

Two profiles operate under the GovAssure programme for central government departments. Baseline assumes a threat may be detected later in the attack chain, possibly through third-party notification. Enhanced assumes elevated threat, sensitive data, multi-site exposure, or national security relevance, and requires earlier detection together with stronger system-level protection.

Profile assignment is determined in discussion between the department, the Government Security Group, NCSC and Cabinet Office. Critical-function central government departments were expected to meet the Enhanced profile by 2025; all central government departments to meet their designated profile by 2026.

For OES under the NIS Regulations 2018, NCSC publishes generic CAF profiles in the v4.0 documentation. The competent authority for each sector decides which profile applies and how it is assessed. Energy, transport, water, health and digital infrastructure each carry their own competent authority and their own thresholds.

Tech suppliers selling into a CNI buyer rarely become an OES themselves. They are pulled into the assessment scope as part of the OES's supply chain. Objective A4 (supply chain) and Objective B (technical controls inherited by the buyer) are usually where the supplier's evidence is examined.

Where CAF appears in 2026 procurement

Cyber Essentials remains a mandatory requirement on every G-Cloud framework iteration, including G-Cloud 15. CAF is not currently a blanket G-Cloud requirement, but it is now standard in central government direct contracts where cyber risk is material, in CNI tenders, and in NHS contracts above the DSPT threshold via the CAF-aligned overlay.

The places suppliers most often encounter CAF in 2026 are central government direct contracts where the buyer's own GovAssure scope brings CAF expectations down the supply chain; NHS contracts where the trust, ICB or arm's length body is in DSPT v8 scope, with the supplier's evidence flowing through the toolkit but scored against CAF; CNI tenders in energy, water, transport and digital infrastructure where OES procurement clauses cascade CAF requirements to suppliers; and MoD prime supply chains where a CAF-aligned response complements the defence requirements covered in the MOD Secure by Design guide.

DSPT v8 became CAF-aligned for NHS trusts, ICBs, CSUs and DHSC arm's length bodies in September 2024, and for independent providers designated as OES alongside genomics organisations in September 2025. The DSPT v8 deadline is 30 June 2026.

A current CAF response opens all four routes. The same evidence pack feeds the next tender and the one after that.

The Cyber Security and Resilience Bill: what changes for suppliers

The Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 is currently before Parliament. It was introduced to the Commons on 12 November 2025, had its Second Reading on 6 January 2026, and the Public Bill Committee reported by 5 March 2026. As of late April 2026 the Bill is awaiting Report stage. It has not yet received Royal Assent and is not yet in force. A separate Naq piece tracks the parliamentary timeline.

The Bill amends the NIS Regulations 2018. Scope is widened to include managed service providers and certain data centres, bringing many B2B SaaS firms inside the OES regime for the first time. Incident-reporting thresholds are revised, with shorter notification windows in some categories. Regulator powers and financial penalties are strengthened (House of Commons Library briefing CBP-10442).

Implementation will be phased. Full force is not anticipated until 2028. Suppliers with public sector pipelines should track the Bill now. A buyer can specify CAF readiness against the expanded scope today, even before the Act is in force, and several already do.

The evidence gaps that derail SME suppliers

The failure modes for SME tech suppliers are predictable.

A4 supply chain. The supplier has a vendor list. Evidence that vendor cyber risk has been actively assessed is often missing. Contracts include a security clause, but no controller has reviewed the vendor against it.

B2 identity and access. Admin accounts on shared credentials, no privileged access management tool, no biannual review of admin rights. CAF wants evidence of how privileged access is granted and removed across the lifecycle.

B5 resilient networks and systems. SME tech estates often run flat, with limited or ineffective segmentation between corporate, development, and production environments. CAF asks for evidence that segmentation exists and is enforced.

C1 security monitoring. SMEs without a SIEM or an external SOC service score Not Achieved on monitoring more than any other contributing outcome. Cyber Essentials does not require continuous monitoring. CAF does. This single gap is the most common reason an otherwise strong submission scores below profile.

D1 response and recovery. The plan exists. The plan has not been tested. CAF wants evidence of the test, the lessons, and the updated plan that incorporated them.

AI risk governance. New in v4.0. Suppliers building or deploying AI in their service stack now need evidence of AI-specific risk assessment. This catches firms that added AI features in the last twelve months without updating their risk register.

Software supply chain security. Also new in v4.0. Software bill of materials, dependency scanning, secure development lifecycle evidence. CAF expects this for any supplier whose service is essential to the buyer's operations.

Reusing your ISO 27001 and Cyber Governance Code evidence

Holding ISO 27001 does not automatically pass CAF. CAF assesses outcomes; ISO certifies a control set. The underlying evidence transfers across with mapping. A supplier with ISO 27001 certification, Cyber Essentials Plus and a current UK GDPR posture starts a CAF response with most of Objective A and a working majority of Objective B already documented.

The reusable map looks like this:

CAF areaISO 27001:2022 Annex ACyber Governance Code ActionA1 GovernanceA.5.1, A.5.2A1, A2A2 Risk managementA.6.1, Clause 6.1A3A3 Asset managementA.5.9A4A4 Supply chainA.5.19-A.5.22A5B2 Identity and accessA.5.15-A.5.18, A.8.2-A.8.5B2B3 Data securityA.5.10-A.5.14, A.8.10-A.8.12B3B4 System securityA.8.7-A.8.9, A.8.20-A.8.27B4B5 Resilient networksA.8.20-A.8.23B5C1 MonitoringA.8.15-A.8.16C1D1 Response and recoveryA.5.24-A.5.30D1

The DSIT Cyber Governance Code of Practice, published 8 April 2025, sits alongside this map. DSIT's published mapping translates the Code's actions into CAF principles, which gives an enterprise risk officer the language to brief a board on the supplier's CAF posture without reading the framework cold.

The translation is the load-bearing part. CAF asks for evidence of the outcome; ISO documentation describes the control. A response that simply attaches the ISO certificate and the Statement of Applicability scores Partially Achieved at best. A response that maps ISO evidence into the CAF contributing outcome, and adds the operational evidence the IGP requires, scores Achieved.

Self-assessment versus independent assessment

CAF can be carried out as either a self-assessment or an independent assessment. The route is set by the regulator or buyer.

Independent assessment is delivered either by the competent authority directly, or by a commercial provider assured under NCSC's Cyber Resilience Audit (CRA) scheme. Some regulators commission independent assessment as standard. Others accept self-assessment with a supporting evidence pack. Under GovAssure, central government Stage 3 assessment uses an independent assessor under the CRA scheme.

For a typical SME tech supplier responding to a central government tender, the request is usually for a self-assessment, with the buyer reserving the right to commission independent verification of the parts it cares about most. Independent assessment typically costs £30,000-£100,000 for a first-time engagement, depending on the size of the in-scope estate and the profile. A self-assessment with strong evidence often satisfies the buyer at a fraction of that cost, provided the evidence holds up.

From CAF pass to public sector contract win

A current CAF self-assessment turns the procurement gate from a stop into a step. The contract conversation moves to commercial terms. The supplier moves from waiting on a security review to onboarding for delivery. For a tech firm that has spent three months trying to crack public sector revenue, that shift is the difference between a forecast and a contract.

The compounding effect matters more than the first response. Once the evidence pack exists, the next tender takes weeks. Trusted-supplier rosters on Crown Commercial Service, NHS Shared Business Services and MoD prime supply chains start inviting the supplier in rather than the supplier chasing the tender. Public sector revenue moves from one-off pursuit to repeatable channel. The Naq business-to-government solution page sets out the full procurement journey for technology suppliers entering public sector buying.

The Naq platform is built to automate NCSC CAF, ISO 27001, Cyber Essentials, NHS DSPT and UK GDPR from a single dashboard. Controls are mapped across frameworks, so one piece of access-control evidence satisfies a CAF B2 contributing outcome, ISO 27001 Annex A.5.15-A.5.18, and Cyber Essentials user-access requirements at the same time, instead of being collected three times.

In-house virtual DPOs sit alongside the platform where the controller-level decisions a CAF submission depends on need human judgement. Naq is also an IASME Certifying Body, so the Cyber Essentials baseline sits inside the same engagement.

To see how CAF evidence maps across your existing tooling and frameworks, book a 15-minute demo at naqcyber.com.

FAQ

Is NCSC CAF mandatory for public sector technology suppliers?

CAF is not a blanket mandate across all public sector procurement. It applies where the buyer specifies it: central government direct contracts under GovAssure scope, NHS contracts via the CAF-aligned DSPT v8 toolkit, CNI tenders where the buyer is an OES, and an increasing number of arm's length body and local government cyber clauses. Cyber Essentials remains the wider baseline across G-Cloud and similar frameworks.

What is the difference between GovAssure Baseline and Enhanced profiles?

Baseline assumes a threat may be detected later in the attack chain, possibly via third-party notification. Enhanced assumes elevated threat (sensitive data, multi-site exposure, national security relevance) and requires earlier detection with stronger system-level protection. Profile assignment is set in discussion between the department, Government Security Group, NCSC and Cabinet Office.

How does CAF v4.0 differ from v3.2?

CAF v4.0 was released by NCSC on 6 August 2025. It adds more than 100 new IGPs and introduces or strengthens coverage of secure software development, AI-related cyber risk, attacker methods and motivations, and security monitoring with threat hunting. Suppliers asked to evidence "alignment to CAF" should treat that as a v4.0 obligation.

Will the Cyber Security and Resilience Bill change CAF requirements?

The Bill is currently before Parliament. It completed its Public Bill Committee stage on 5 March 2026 and is awaiting Report stage. It is not yet in force. The Bill expands NIS scope to include managed service providers and certain data centres, revises incident-reporting thresholds, and strengthens regulator powers. Phased implementation is expected, with full force not anticipated until 2028.

Can ISO 27001 evidence be reused for a CAF self-assessment?

Yes, with mapping. ISO 27001:2022 Annex A controls map to most CAF contributing outcomes under Objectives A and B, and the DSIT Cyber Governance Code of Practice has a published mapping to CAF principles. ISO documentation describes the control. CAF asks for evidence the outcome is met operationally, so ISO evidence is the starting point rather than the answer.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
NHS DTAC
DCB 0129
Navigating Healthcare Compliance in 2024: Key Developments and Emerging Requirements
February 25, 2024
Compliance
NHS DSPT
What does DSPT Actually Assess?
February 20, 2026
Compliance
NHS DSPT
NHS DTAC
ISO 27001
How To Stay Ahead of Changing Compliance Requirements
November 4, 2025
Compliance
NHS DSPT
DCB 0129
ISO 27001
DSPT v8 deadline: an eight-week checklist for NHS suppliers
May 4, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy