The government approved Cyber Essentials (CE) scheme needs to be reviewed regularly to ensure it stays effective in the ever-evolving threat landscape. The latest review has occurred, and changes will take effect on January 24th. Several technical control requirements will change to ensure they align with the recommended security updates.
What is the new update?
Home routers are not in the scope
Home routers supplied by Internet Service Providers (ISPs) or by the homeworker are no longer in scope. Instead, the CE firewall controls are transferred to the homeworker’s device.
However, if their employer supplies the homeworker’s router, it is in scope. The router must then have the Cyber Essentials controls applied to it. Using a corporate (single-tunnel) Virtual Private Network (VPN) transfers the boundary to the virtual cloud firewall or corporate firewall.
Cloud services are in scope
Ensuring Cyber Essentials controls are implemented will fall on the responsibility of the company whenever services or data are hosted on a cloud service. The type of cloud service determines whether the user or the cloud service provider adds has administrative control. This means that it is vital for users to research the cloud services they use and take responsibility for ensuring Cyber Essentials controls are applied.
The new requirements also bring Software as a Service (SaaS) and Platform as a Service (PaaS) into scope.
Companies must take responsibility for user/employee access control. Businesses must ensure their services have a secure configuration and this includes securely managing access to their administrative accounts. Furthermore, organisations should block accounts they do not need.
Multi-Factor authentication must be used for access to cloud services, with a minimum password length of 8 characters. Multi-factor authentication gives additional protection to user and administrator accounts, which is vital when connecting to cloud services.
All servers are in scope of CE
Servers are in CE scope. These are particular devices that provide company services or data to other devices as part of the applicant’s business.
‘Thin clients’ are in scope
A ‘thin client,’ also referred to as a ‘dumb terminal,’ provides access to a remote desktop. The thin client does not hold significant data but has an internet connection enabling it to communicate and connect with an organisation’s services or information.
Definition of ‘licensed and supported’
Licensed and supported software is a program or application that you have a legal right to use, with the vendor committing to support the software by providing regular updates and patches. The vendor must provide the future date when updates will cease. The vendor doesn’t have to be the original software creator but must be able to modify the original software and create updates.
The ‘sub-set’ defines what is in scope and out of scope
Where a network is segregated from the rest of the company by a VLAN or firewall, it shall be defined as a sub-set. The sub-set definition can be used to determine what is in scope and out of scope of CE. It is no longer acceptable to use individual firewall rules for each device.
Smartphones and tablets
A smartphone or tablet that connects to company data or services is considered in scope when connecting to the mobile internet or corporate network. However, remote devices and mobiles that are only used for text messages, voice calling, and multi-factor authentication are considered out of scope.
Device locking
Biometrics or a pin or password consisting of at least six characters must be used to lock a device.
Multi-factor authentication and password-based requirements
To protect against brute-force password attacks, further protection must be in place, such as:
- Account locking after ten unsuccessful password attempts
- Multi-factor authentication
- Throttling the rate of guessed or unsuccessful password attempts
To manage password quality, an additional technical control must be in place, such as:
- Minimum password lengths of twelve characters, with no maximum
- Minimum password lengths of eight characters, with no maximum, in conjunction with automatic common password blocking with a deny list
- Minimum password lengths of eight characters, with no maximum, in conjunction with multi-factor authentication
To create a long password that is unique and hard to guess, it is recommended to use at least three random words. A process must also be established to allow passwords to be changed if a user suspects the password or account to be compromised.
Account separation
A separate account should be used for administrative activities only. In practice, administrators should have two accounts, one user account for day-to-day activities (emails, web browsing etc.) and a privileged account for administrative activities. An organisation’s scope must include end-user devices.
This change closes a loophole where companies could certify their server systems only, without including end-user devices. Closing these loopholes tackles threats coming from administrators of those server systems.
High and critical updates must be applied within fourteen days, and unsupported software removed
All software on in-scope devices should be:
- Licensed and supported
- Where possible, have automated updates activated
- Removed from devices if it becomes unsupported or removed from scope by using a defined subset that blocks all internet traffic
Software on in-scope devices must also be updated with manual configuration changes applied to ensure the update is effective, within fourteen days of an update release, where:
- Updates fix vulnerabilities defined by vendors as high-risk or critical
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
- Updates address vulnerabilities with a CVSS v3 score of 7 or higher
Guidance on backing up your data
Data backups are not a technical requirement of CE. However, CE guidance highly recommends implementing a backup solution to protect critical data.
The Cyber Essentials Plus audit adds two tests
The CE Plus audit adds a test to confirm account separation between administrator and user accounts. The second additional test will confirm MFA is required for access to cloud services.
One year grace period
A grace period of one year will give organisations the time to make changes for the following requirements:
MFA for cloud services
- The requirement for administrator accounts will apply from January 2022
- The requirement for user accounts will apply from January 2023
Thin clients
- The requirement for thin client support and security updates will apply from January 2023
- For the first twelve months, the thin client question will be for information only
Security update management
- Unsupported software removed from scope will apply from January 2023
- For the first twelve months, the new question will be for information only
Cyber Essentials certification
Organisations that register and pay for a Cyber Essentials certificate prior to January 24th 2022, will be assessed on the old CE question set. They will have six months to complete the self-assessment. However, the Cyber Essentials Readiness Tool will be updated on January 24th 2022, with the new requirements and the five technical controls. To use the readiness tool on the old question set, please access it before January 24th 2022.
CE compliance
Contact us if you have any questions regarding Cyber Essentials or you would like to learn more about the product.
CE Plus changes
Cyber Essentials Plus now includes two additional tests to support the Evendine Cyber Essentials changes:
- Test 6
Review of MFA Configuration – For any cloud-enabled services relevant to the assessment, an assessor will review the multi-factor authentication to ensure it is enabled appropriately according to the Cyber Essentials Plus standard.
- Test 7
Review of Admin account separation – To ensure user privileges are aligned to the Cyber Essentials standard, user accounts will be reviewed to ensure that administrative accounts are separate from day-to-day user accounts.
