Table of Contents
The National Cyber Security Centre (NCSC) is preparing a raft of changes to their best security framework: Cyber Essentials. The Cyber Essentials changes are due to be officially released on 24th January 2022, these changes have been described by the NCSC as the “biggest overhaul” to the framework since it was introduced eight years ago. The changes are brought about following feedback from assessors and applicants. There was also extensive consultation with the Cloud Industry Forum.
The Covid 19 pandemic has been a major factor in the need for these changes. The entire landscape of how people work has changed. We have seen, for example, a greater need for increasing amounts of home and hybrid working. This, alongside a greater reliance on cloud services, has meant an overhaul is necessary to counter ever-evolving cyber threats in this new working landscape.
Cyber Essentials is a straightforward and efficient scheme, backed by the UK government, that supports organisations to guard against common cyber threats. It comprises simple steps that organisations can implement to demonstrate that their systems are protected against basic cyber attacks. The Cyber Essentials certification provides confidence to customers and is a necessary requirement for those organisations working on, or hoping to gain UK government contracts. The Cyber Essentials scheme also helps organisations with compliance requirements such as those of the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
The scheme covers five main technical controls which are:
- Firewalls and Routers: Securing your Internet connection
- Secure Configuration: Securing your devices and software
- Access Control: Control access to your data and services
- Malware Protection: Protection against viruses and other malware
- Software Updates: Keeping your devices and software up to date
The January Cyber Essentials Update 2022
“All Cyber Essentials applications starting on or after January 24 2022 will use the updated version of the requirements. We recognise that some organisations may need to make extra efforts when assessed against the new standards, so there will be a grace period of up to 12 months for some of the requirements.” the NCSC said.
“Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Organisations using the current standard will have six months from January 24 to complete the assessment,”
Following a technical review of the current scheme, the NCSC and its delivery partner IASME, have introduced a number of necessary updates. Here are a just a few of the areas covered by the forthcoming update
Devices used by home workers to access organisational information are in scope for the Cyber Essentials update.
Home routers that are provided by ISPs or by home workers are now out of scope. A router supplied by the applicant company, however, is in scope and must have Cyber Essentials controls applied to it.
The use of a single tunnel VPN transfers the boundary to the corporate firewall or virtual cloud firewall.
Cloud services will be integrated into the scheme.
The organisation is responsible for ensuring that all the updated Cyber Essentials controls are implemented if that organisation utilises cloud services. Definitions of cloud services have been added to clearly differentiate Infrastructure, Platform and Software Services. Whether the cloud service provider or the user implements the control will depend on the type of cloud service.
It is a commonly held assumption that cloud services are, by their very nature, secure. However, this is a dangerous assumption and users should be encouraged to do their own research into the security risks and vulnerabilities of their cloud services. In this regard The Cyber Essentials controls should be implemented wherever possible.
Platform as a Service (PaaS) and Software as a Service (SaaS) were previously not “in scope”, however, the new January 2022 requirements insist that organisations are responsible for the secure configuration and user access control of their services. This includes securely managing access to whichever admin and blocking accounts they do not need.
If the cloud service is responsible for the implementation of one or more of the controls, the applicant organisation has the responsibility to seek evidence that this is done to the necessary standard. Examples of controls might include anti-malware or security update management.
Multi Factor Authentication & Password Management
Multi Factor Authentication provides an extra layer of protection for passwords that are not covered by other technical controls. Multi factor authentication should always be implemented to provide added protection for administrator accounts and accounts that are used to connect to cloud services.
When using passwords at least one of the following protections should be used to defend against the practice of brute-force guessing:
- Multi-factor authentication
- Throttling the rate of unsuccessful attempts
- Account locking after 10 unsuccessful attempts or less
Technical controls are used to manage the quality of passwords. This will include one of the following:
- Multi-factor authentication alongside a password of at least 8 characters. There should be no restriction on the length of a password
- A minimum password length of 12 characters with no restriction on maximum length
- A minimum password length of 8 characters, with no maximum length restriction with automatic blocking of common passwords through the use of a deny list
People are encouraged to use unique passwords for their work accounts.
New guidance has been created on how to form passwords. The new recommendation is that three random words should be used to create a password that is long, unique and very hard to guess.
There should be an established process to change passwords quickly if the applicant has any suspicion that the password or account has been compromised.
Critical Updates & Unsupported Software
All software on devices that are “in-scope” must comply with the following:
- All software should be Licensed and fully supported
- When software becomes unsupported it must be removed or by using a sub-set network topology that prevents / stops all outbound and inbound traffic.
- Automatic updates should be enabled where it is possible to do so
- Software should be updated (including necessary manual configuration) within 14 days of the update release date where:
- The update deals with vulnerabilities described as ‘critical’ or ‘high risk’
The update addresses vulnerabilities with a Common Vulnerability Scoring System (CVSS) v3 score of 7 or greater
- The software vendor provides no details of the vulnerabilities that the update fixes
A firewall is needed to secure devices within a network in order to mitigate the risk of cyber attack. Establishing a properly configured firewall is one of the primary steps in gaining Cyber Essentials certification.
The Cyber Essentials update will require that organisations configure a firewall to protect all devices, especially those devices that are connected to public or untrusted Wi-Fi networks. Each device in scope must be protected by an adequately configured firewall.
One of the major changes brought about by the January 2022 update is that using individual firewall rules per device is no longer an accepted practice (to remove devices from scope). For home workers the Cyber Essentials firewall controls are now to be transferred to any home worker’s device that is in-scope.
Mobile Devices, 4G and 5G
A smartphone or tablet storing/making a connection to organisational data over the 4g and 5g wireless networks have been confirmed as being in scope.
However, mobile or remote devices used only for voice calls, text messages or non-organisational multi-factor authentication applications are out of scope.
Devices should also employ biometrics where possible and/or use a minimum of six characters to unlock the device.
What do I need to do?
If your assessment has started or begins before 24th January 2022 you will be certifying to the current technical standard – check with your certification body as the key date is when your account is created on the IASME submission portal – not necessarily when your program starts, in particular, if you have paid for upfront consultancy and support.
You will then have a full six months from that date to complete these assessments.
Any assessments that commence on or after 24th January 2022 will have to certify to the new standard.
The new NCSC Requirements for Infrastructure document – which we recommend you read.
The new question set can also be found via this link: here .
IASME also publishes an informative blog, where they outline, in greater detail, the changes being implemented and the reasoning behind each of those changes: here.
The Cyber Essentials Readiness Tool will also be updated alongside the new requirements for the 5 technical controls.
CyberSecuritiesUK are experts in Cyber Essentials Implementation and certified by the IASME consortium. We specialise in helping businesses of all sizes to help safeguard their system and network security.
If you would like to find out how we can help, book a meeting below with a Cyber Essentials Assessor to discover how to protect your business from the bad guys.
Book a Call with a Cyber Essentials Assessor
Check out Rory’s availability using the calendar below. A zoom link will be sent to you once you have confirmed your appointment. We look forward to meeting you!