Skip to content

The Cyber Assessment Framework Explained: What It Means for NHS Suppliers and Small Providers

By Brian CrockerLast reviewed: 4 June 2026

If you've been reading about DSPT v8 (2025/26), you've probably seen the phrase "CAF-aligned" repeated everywhere. Maybe you've noticed your DSPT toolkit looks structurally different to v7 and wondered why. The answer is the Cyber Assessment Framework — a piece of national cyber security infrastructure most small NHS providers have never heard of, but now find themselves indirectly subject to.

This guide explains what the CAF is, who it's for, why NHS England adopted it, and what it actually means for the day-to-day work of completing the DSPT. It is written for people running care homes, pharmacies, GP practices, and other Category 3 / Category 4 organisations — not for NHS Digital security architects.

What is the Cyber Assessment Framework?

The Cyber Assessment Framework (CAF) is a set of cyber security principles maintained by the National Cyber Security Centre (NCSC) — the UK's technical authority on cyber security and a part of GCHQ.

The CAF was originally designed to help operators of critical national infrastructure (energy, water, transport, telecoms) demonstrate their cyber security to UK regulators under the Network and Information Systems Regulations 2018 (commonly called the NIS Regulations). It has since been adopted more broadly across the UK public sector — including by NHS England as the structural basis for DSPT v8.

The CAF is not a checklist. It is an outcome-based framework: rather than telling you "install a firewall" or "use 12-character passwords," it asks you to demonstrate that you achieve specific outcomes, such as "you have effective processes in place to ensure decisions are based on current understanding of security risk." How you achieve those outcomes is up to your organisation.

The full framework is documented at the Cyber Assessment Framework collection on ncsc.gov.uk. DSPT v8 (2025/26) is aligned to CAF version 3.4, per the official v8 announcement. Note that NCSC now publishes CAF version 4.0 as its current standalone framework — so the NCSC site may show a higher version than the one the DSPT maps to. For the DSPT, v3.4 is the reference point.

How the CAF is structured

The CAF is organised around four high-level objectives, each containing a set of principles, and each principle expressed as a set of contributing outcomes. The four objectives are:

Objective Theme Example principle
A Managing security risk Governance, risk management, asset management, supply chain
B Protecting against cyber attack Service protection policies, identity and access control, data security, system security, resilient networks, staff awareness and training
C Detecting cyber security events Security monitoring, proactive security event discovery
D Minimising the impact of cyber security incidents Response and recovery planning, lessons learned

Each principle has a letter–number identifier (A.1 Governance, A.2 Risk Management, B.1 Service Protection Policies, etc.). Within each principle there are contributing outcomes, and within each outcome there are indicators of good practice.

For the small-provider DSPT user, you don't read CAF documents directly. NHS England has done that work — they have selected which CAF outcomes apply to each DSPT category and translated them into provider-friendly assertions and evidence items.

Why NHS England adopted the CAF for DSPT v8

NHS England announced DSPT v8 — the first CAF-aligned version — on 18 September 2025, with full transition required for the 2025/26 submission cycle (deadline 30 June 2026). The full announcement is at dsptoolkit.nhs.uk/News/161.

The shift was driven by alignment with the wider UK Government Cyber Security Strategy 2022 to 2030, which set a goal that all government and public sector bodies would adopt the CAF as a common language for cyber resilience. Healthcare — as one of the largest and most data-sensitive parts of the public sector — was an early adopter.

The practical reasons for the change:

  • One framework across the public sector. A care home that supplies services to the NHS, a council-run service that connects to NHS systems, and a hospital trust now all describe their security in the same vocabulary. That makes assurance and oversight easier.
  • Outcome-based language reduces "policy theatre." Previous DSPT versions allowed providers to upload a policy document and claim the box was ticked. v8 asks whether the policy is being followed and whether it actually works.
  • A foundation that scales. The same framework runs from a 25-bed nursing home (Category 3) through to NHS Digital (Category 1). Each category has a different scope and depth, but they share structure.

What "CAF-aligned" actually means for Category 3 and 4

If you are a care home, community pharmacy, dental practice, optician, or GP practice, you are most likely Category 3 (or Category 4 for GP practices). Here is what the CAF alignment means in practice:

1. The structure of the toolkit changed

In v7, you worked through a flat list of standards and questions. In v8, the toolkit is organised into Outcomes → Assertions → Evidence items, with each assertion mapped back to a specific CAF principle. You still answer assertions; the underlying CAF principle is shown for reference.

2. The number of mandatory items is broadly similar

For Category 3 organisations, the workload in v8 is comparable to v7 — approximately 42 mandatory evidence items across the assertions, similar to the previous category load. The structure changed; the depth did not balloon. This is a deliberate choice by NHS England: small providers were not made to absorb a full CAF assessment.

3. The evidence is more "show your working"

Where v7 might have accepted "yes, we have a policy," v8 typically asks for the policy plus proof of implementation — for example, training completion records, recent risk register entries, or screenshots showing access reviews have happened. This reflects the CAF's outcome-based design: the goal is not to have a document, the goal is to be secure.

4. New assertions exist that did not in v7

A small number of assertions are genuinely new in v8 — most notably around supply chain assurance (mapping to CAF principle A.4 Supply Chain) and proactive monitoring (CAF principles C.1 / C.2). For most small providers, these translate to "have you got a list of your IT suppliers and have you confirmed they meet basic data security standards?" rather than full CAF-grade supply chain risk management.

5. There is no v7 → v8 carry-forward

Evidence uploaded to v7 does not automatically transfer to v8. You will need to re-upload or re-confirm evidence for the v8 assertion set — even where the underlying control has not changed.

For a more detailed walk-through of the v8 changes specifically, see our DSPT v8 changes guide.

CAF principles you'll see referenced in the DSPT

Most Category 3 and 4 DSPT users will encounter at least these CAF principles. You don't need to memorise the framework, but recognising the labels will save time when reading the toolkit's assertion descriptions.

CAF principle Plain English Where you'll see it in the DSPT
A.1 Governance Someone is in charge of security and decisions are documented Senior responsibility, board / partner sign-off on data security
A.2 Risk Management You know what could go wrong and decide what to do about it Risk register, annual risk review
A.3 Asset Management You know what data and systems you have Data flow mapping, system inventory
A.4 Supply Chain You know who your suppliers are and what they do for you IT supplier list, data processing agreements, supplier security assurance
B.1 Service Protection Policies You have written policies for your security controls Data security policy, acceptable use policy, incident response policy
B.2 Identity and Access Control The right people have access to the right things, and only those things User access reviews, leaver process, role-based access
B.3 Data Security Data is protected from unauthorised access — at rest and in transit Encryption on devices, secure email (NHSmail or equivalent)
B.4 System Security Your systems are configured securely and patched Patching schedule, supported software inventory
B.6 Staff Awareness and Training Staff know what they need to do and have been trained Annual data security awareness training, phishing exposure training
D.1 Response and Recovery Planning You know what to do if something goes wrong Business continuity plan, incident response plan

The full list of principles is in the NCSC CAF documentation. For the DSPT mapping, the official assertion-by-assertion spreadsheet is downloadable from the NHS England v8 announcement page.

How the CAF differs from Cyber Essentials

Many small providers ask whether having Cyber Essentials means they're "done" — or whether the CAF replaces it. The short answer: they are different things, and both still matter.

Cyber Essentials Cyber Assessment Framework
Type Certification scheme Outcome-based framework
Scope 5 technical control areas 14 principles across 4 objectives
Audience Any UK organisation, especially SMEs Public sector + critical national infrastructure
Verification Annual self-assessment + third-party verified version (CE+) Self-assessment via DSPT (for NHS organisations) or formal CAF assessment (CNI)
Cost ~£300-£500/year (CE), more for CE+ Free to read; cost is staff time
Use in DSPT Optional supporting evidence for some assertions Underlying structure of the entire DSPT v8

Cyber Essentials covers the technical baseline (firewalls, secure configuration, access control, malware protection, patch management). It is genuinely useful and provides clean evidence for several DSPT assertions. The CAF goes broader — including governance, supply chain, training, and incident response — and provides the structure into which Cyber Essentials evidence fits.

If your organisation already has Cyber Essentials, that's a strong starting point. You'll find that several CAF-mapped DSPT assertions can be evidenced by the Cyber Essentials self-assessment summary or certificate. Read more on Cyber Essentials at ncsc.gov.uk/cyberessentials/overview.

What you actually need to do

If you are completing the DSPT for the first time (or for the first time under v8), you do not need to study the CAF directly. The relevant work is:

  1. Read the v8 announcementdsptoolkit.nhs.uk/News/161. This explains the change in NHS England's own words and links to the assertion spreadsheets for your category.
  2. Download the assertion spreadsheet for your category. Category 3 and Category 4 spreadsheets are linked from the v8 announcement page. These show every assertion you need to complete and the CAF principle it maps to.
  3. Use the DSPT structure, not raw CAF documents. NHS England has done the translation work. Reading the CAF directly will give you a deeper understanding, but it is not required for completion.
  4. Collect evidence by assertion, not by CAF principle. The toolkit shows assertions; collect what each assertion asks for.
  5. Use the standard evidence patterns outlined in our DSPT evidence requirements guide — most of the v8 evidence patterns map cleanly onto CAF expectations.

For a structured starting point, our evidence checklist generator outputs a categorised list you can work through. The readiness quiz takes ~5 minutes and shows where the biggest gaps are likely to be.

Common misconceptions about the CAF

"CAF-aligned means harder." Not for small providers. The same NHS England that adopted the CAF also chose to keep the Category 3 workload broadly comparable to v7. The structure changed; the depth did not.

"I need to do a full CAF assessment." No — Categories 1 and 2 (NHS trusts, IT suppliers) do CAF-grade assessments. Category 3 and 4 organisations complete the DSPT, which is the CAF-translated-for-providers version.

"CAF replaces Cyber Essentials." It doesn't. They serve different purposes. Cyber Essentials remains useful, particularly as supporting evidence for certain DSPT assertions.

"NCSC inspects me." NCSC publishes the CAF and provides technical guidance, but it does not inspect small NHS providers. DSPT submissions are reviewed by NHS England and, for CQC-registered care providers, the CQC may reference your DSPT status during inspections.

FAQ

What is the Cyber Assessment Framework? The Cyber Assessment Framework (CAF) is a set of cyber security principles published by the National Cyber Security Centre (NCSC). It is used across UK critical national infrastructure and the public sector — including NHS England, which adopted it as the foundation for DSPT v8 in 2025.

Do small NHS providers need to use the CAF directly? No. Small Category 3 and Category 4 providers (care homes, pharmacies, GP practices) interact with the CAF indirectly through the DSPT. NHS England has translated the CAF principles into category-appropriate assertions and evidence items so you don't read CAF documents directly.

How is the CAF different from Cyber Essentials? Cyber Essentials is a baseline certification scheme covering five technical controls — useful but narrow. The CAF is a broader, outcome-based framework covering governance, risk management, supply chain, incident response, and more. The CAF is the structure DSPT v8 uses; Cyber Essentials remains useful evidence for specific assertions within it.

Where can I read the CAF itself? The CAF is published on ncsc.gov.uk under Collections → Cyber Assessment Framework. The full guidance is freely available, but most small providers do not need to read it directly.

Is the CAF mandatory for the DSPT? The DSPT is mandatory for organisations accessing NHS patient data or systems. From v8 onwards, the DSPT is structured around the CAF — so meeting the DSPT is, in effect, meeting the CAF outcomes that NHS England has selected for your category.

Next steps

  1. Confirm your category — log in to dsptoolkit.nhs.uk. Most small providers will be Category 3 (or Category 4 for GP practices).
  2. Download the v8 assertion spreadsheet for your category from the v8 announcement page.
  3. Read our DSPT v8 changes guide for what's actually different from v7 and what to do about it.
  4. Use the evidence checklist generator to get a structured list of what to gather.
  5. Plan your timeline with the deadline calculator.

This guide is based on the NCSC Cyber Assessment Framework and DSPT v8 (2025/26) as published by NHS England. The CAF is updated periodically — always verify against the official NCSC CAF collection. This is not legal or compliance advice.

Sources

Get guided DSPT compliance when we launch

Join the waitlist for early access to DSPTready — step-by-step DSPT guidance built for small providers.

No spam. Unsubscribe any time. Privacy policy