Author: Stuart McCulloch, Lead Cyber Essentials assessor
The Cyber Essentials (CE) scheme was introduced in 2014 with backing from the National Cyber Security Centre (NCSC). The requirements have changed over the years, with the introduction of new elements. The latest question set is the largest change ever and has created some misunderstandings. This blog is intended to address these and bust some myths.
These myths cause confusion and can put people off applying for CE and Cyber Essentials Plus (CE+), meaning that their organisation may miss out on important basic security measures to protect against potential exploits and threats.
So, what are these myths and, more importantly, what are the facts behind them? Some of the biggest misapprehensions are around bring your own device (BYOD) policies and controls, MFA, Cloud services, so we’ll start with those, and cover the remaining Myths in a second blog post.
Myth 1 – I don’t know what defines a service as a cloud service
All cloud services are now in scope. All Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) are in scope, but this has led to some misconceptions that absolutely everything your staff or students use is in scope.
The CE definition of a cloud service is ’A cloud service is when an applicant subscribes to (paid or free), controls who has access and/or administrative access over the cloud service. For example, MS 365, Google workspace, Quickbooks, Dropbox. By extension, if the applicant organisation has admin-type rights such as creating other users, resetting passwords, controlling security access then this would constitute an in-scope cloud service.
If the applicant’s organisational data is held in a cloud service, then it is likely to be in scope for CE.
If a service does not allow the above, it is not a cloud service in the CE sense and is not in scope.
The reality is that there are many applications and services that staff may use as part of their job. While it would be ideal if all those apps were CE compliant (with MFA for example), the scope that you are responsible for probably does not include them all. A good rule of thumb for SaaS scoping is if you have user accounts that are managed by your organisation, they are in scope. If not, then out of scope.
Remember that CE is a self-assessment tool: it’s designed primarily to help organisations review and improve their security posture and shouldn’t be viewed solely as a route to a certificate. Key to this self-assessment process is helping organisations to develop a complete and accurate understanding of all their cyber assets, including their cloud services, and the attack surface they present. In short, you must know what you’re trying to defend if you’re going to defend it effectively.
So, think about the range of cloud services you use, the facilities they provide and the range of data they contain: what would be the consequences if a malicious actor was to gain access to one or more of them, and sensitive data was stolen or breached? Thinking about the cloud services you use in terms of their potential vulnerabilities and the consequences of an attack or incident will help you identify both where the CE controls need to be applied and, consequently, the services that should be described in your application.
Myth 2 – I can’t achieve Cyber Essentials if I don’t have MFA on a cloud service
Multi-factor authentication (MFA) is a very important basic control that should be enabled whenever and wherever possible to do so. However, unfortunately it’s not offered by every cloud service. But using cloud services that do not offer or cannot provide MFA does not necessarily lead to the automatic failure of a CE application.
Using cloud services which do not offer MFA does result in some non-compliances being awarded as described below, but applicants can still pass provided the rest of their submission is compliant (you need to be compliant in nearly all the questions to pass the CE assessment).
If you can apply any form of MFA, such the first 4 options out of the 5 listed here, then your cloud service would be compliant. Or if you can utilise Azure Application Proxy to put in front of a cloud service and use MS 365 credentials and MFA to control access to it, this is also acceptable for CE.
But if you are using a cloud service that doesn’t or cannot offer MFA, you must answer “no” to question A7.14 (Have you enabled MFA on all of your cloud services?). A “no” response to A7.14 will be marked as non-compliant.
If you answer “no” to A7.14 you then need to list any cloud services in use that do not support or offer MFA in response to A7.15 (If no, is this because MFA is not available for some of your cloud services? List the cloud services that do not allow multi-factor authentication).
If a cloud service listed in response to A7.15 is found to offer MFA, the response to A7.15 will also be marked as non-compliant. But if the assessor confirms that all the cloud services listed by the applicant in response to A7.15 do not offer MFA, the response to A7.15 will be marked as compliant.
The subsequent question A7.16 (Has MFA been applied to all administrators of your cloud services?) will be marked as compliant even if it is answered “no”, provided this is only because one or more cloud services in use do not offer any form of MFA, as confirmed in the applicant’s previous response to A7.15.
Note that the response to A7.17 (Has MFA been applied to all users of your cloud services?) is currently for information only and will not be taken into consideration until April 2023, which will coincide with the next, light touch, update to CE technical requirements (further information about the April updates is available here).
If you list 10 cloud services, for example, for question A2.9 and 3 of those do not have MFA applied, or you are not able to apply any of the alternative methods of MFA, you should answer ‘No’ for question A7.14 and incur a single major non-compliance. You will then have to list these 3 services in A7.15 and this question will be compliant and then answer A7.16 as a ‘No’. If those cloud services genuinely don’t have MFA functionality, A7.16 will be marked as compliant.
So, if you are using a cloud service without MFA, compliance and certification for CE is still achievable. You will need to concentrate on the remainder of the submission to ensure you are compliant in other areas of course.
The CE question set and requirements document can be downloaded here.
Myth 3 – bring your own device (BYOD) technical controls are required
Currently it is not mandatory to have technical controls in place to manage your BYOD or personal devices. But for CE compliance it is necessary to have full visibility of these BYOD devices, to ensure they are supported, are running a supported operating system, have antivirus installed and are not jailbroken or rooted.
Large organisations such as colleges and universities are expected to have technical controls in place to manage BYOD and other devices but this is only an ‘advisory’ for now. If you do things manually or via a policy or guidance-based approach only, with no technical solution in place, and mention this in the submission, the ‘advisory’ will suggest you look at utilising technical controls such as MDM, Intune, conditional access etc to manage those devices in future.
A challenge with getting device information from Azure/MS 365 is that it will only give you the operating system information and not the device information such as the make of the device unless that device is registered into something like InTune. One way to gather this information is by using something like a Microsoft or Google form, sending it out to staff asking what their devices are and what they are running on it. This is easier said than done, staff may know how to use their devices to send messages, emails etc but may not know if it is a Samsung running Android 10/11/12/13 for example, so there are issues with that approach.
Having a technical control is a great way to gather this information, ensure the devices are compliant with CE controls and with little manual input you can pull this information from your MDM solution whenever you need it, not just for CE compliance.
While having a fully technical control isn’t mandatory currently, that’s not to say it won’t be in the future, so implementing things like InTune will be a great project to start now and have in place for your future submissions, for good asset management and to help reduce cyber risk in your organisation.
Applicants should seek to implement a combination of technical controls and processes to record and manage devices in use on an ongoing basis. At present we see many applicants focusing on generating a device list purely for the purposes of their CE certification, when a much better, more sustainable approach is to put processes and controls in place that capture, track and manage devices and their status on an ongoing, day-to-day basis.
Ongoing asset management should reflect corporately provided and BYOD estates, ensuring compliance is maintained as both staff and devices come and go. Once such practices are implemented, recertification in future becomes easier and the certifying organisation is more secure as a result.
Myth 4 – All Firmware is in scope
IASME confirmed in October 2022 that the network equipment that should be listed in response to question A2.8 (firewalls and routers) must be fully supported by the vendor/manufacturer and receiving firmware updates. Listing an unsupported, end of life firewall or router will result in an automatic failure.
For desktops and laptops, you must list the make of the devices together with details of the operating system version and build (for example, “25 Dell laptops running Windows 10 Professional version 22H2, 10 MacBooks running MacOS Ventura, 100 Samsung mobiles running Android 12”). Any unsupported operating systems will result in an automatic failure.
There is no requirement to list the exact device model any longer but if model details for desktops, laptops, mobiles and tablets are supplied, we need to take this into consideration and if they are no longer supported by the manufacturer but are running a currently supported operating system, you will receive an ‘advisory’ only. This advisory will state that they are no longer receiving security updates to that device and that you should consider replacing the devices. But no major non-compliance or outright fail will be incurred.
Firmware for the likes of peripherals and Internet of Things (IoT) devices is not in scope for CE.
Continued in part 2