New Changes to Cyber Essentials Certification
The UK Cyber Essentials scheme first introduced in 2014 includes five technical controls that help protect organisations from the majority of cyber attacks. Although a UK standard, it is applicable to organisations of all sizes, sector and countries.
A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape.
On January 24th 2022, some of the technical control requirements will change in line with recommended security updates and reflect the changing landscape of IT work environments (i.e. hybrid and remote working).
Home working devices are in scope, but most home routers are not.
Anyone working from home for any amount of time is now classified as a ‘home worker’. Previously ‘home workers’ were those whose employment contracts specified that they worked from home.
The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.
The use of a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.
All cloud services are in scope
Cloud services are to be fully integrated into the scheme.
If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service.
Multi factor authentication must be used for access to cloud services
As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and accounts when connecting to cloud services.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.
There has been an increasing number of attacks on cloud services, using techniques to steal users passwords to access their accounts. There are four types of additional factor that may be considered:
- A managed enterprise device
- An app on a trusted device
- A physically separate token
- A known or trusted account
Thin clients are in scope when they connect to organisational information or services
A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet.
All servers including virtual servers on a sub-set or a whole organisation assessment are in scope
Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant.
All smart phones and tablets connecting to organisational data and services are confirmed in scope when connecting to corporate network or mobile internet such as 4G and 5G.
However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope. We have communicated to clients that any devices including personally owned devices that access the organisation’s systems or information are in scope.
Smartphones and tablets should be considered as if they were laptops.
Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.
Password-based and multi-factor authentication requirements
When using passwords, one of the following protections should be used to protect against brute-force password guessing:
- Multi-factor authentication
- Throttling the rate of unsuccessful or guessed attempts.
- Locking accounts after no more than 10 unsuccessful attempts.
Technical controls are used to manage the quality of passwords. This will include one of the following:
- Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions
- A minimum password length of at least 12 characters, with no maximum length restrictions
- A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list
People are supported to choose unique passwords for their work accounts. New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique.
There is an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.
Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
The scope of an organisation must include end-user devices
If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loophole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices.
All high and critical updates must be applied within 14 days and remove unsupported software.
All software on in scope devices must be:
- Licensed and supported
- Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.
- Have automatic updates enabled where possible
- Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
- The update addresses vulnerabilities with a CVSS v3 score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provide by the vendor
Guidance on backing up
Backing up your data is not a technical requirement of Cyber Essentials, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.
Two additional tests have been added to the CyberEssentials plus audit
Test to confirm account separation between user and administration accounts
Test to confirm MFA is required for access to cloud services.
How the changes will work
There will be a grace period of one year to allow organisations to make the changes for the following requirements:
MFA for cloud services
The requirement will apply for administrator accounts from January 2022
The MFA for users requirement will be marked for compliance from January 2023
Thin Clients need to be supported and receiving security updates, the requirement will be marked for compliance from January 2023
The new question will be for information only for first 12 months.
Security update management
Unsupported software remove from scope will be marked for compliance from January 2023. The new question will be for information only for first 12 months.
If your organisation registers and pays for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment.
Please be aware that the Cyber Essentials Readiness Tool will be updated with the new requirements for the 5 technical controls on 24th January 2022. If you would like to use the tool for guidance on the old question set, please access the guidance before 24th January 2022.
If you have any questions relating to the Cyber Essentials certification readiness, please get in touch with our team by phone 01 536 7320 or email [email protected].
Source: IASME Cyber Blog available here.