Cyber Essentials and Multi-factor Authentication (MFA)
What is MFA?
Multi-factor authentication (MFA) is an authentication process that necessitates users to provide evidence of their identity through the submission of multiple verification methods, commonly known as “factors.” This approach ensures both the user’s identity and the legitimacy of their credential access. Two-factor authentication (2FA) is a prevalent form of multi-factor authentication, demanding the submission of two distinct factors to complete the authentication process. Microsoft state that “your account is more than 99.9% less likely to be compromised with MFA.”
Cloud Services
Within CE you must list the cloud service(s) that are in scope (A2.9). If your organisation’s data or services are hosted in the cloud, then you are responsible for ensuring that all the CE controls are implemented within those services. Whether the cloud service provider or your organisation implements the control, depends on the type of cloud service, but you have the responsibility to ensure the appropriate controls are in place for all cloud services. Please see a useful link when dealing with 3rd party suppliers. Please also reference the requirements document (pages 6 and 7), this outlines the shared responsibility model and who is responsible for each CE control.
CE Requirements
These cloud services must have MFA applied for all administrator and all user accounts using the listed cloud service(s) in order to be compliant with CE requirements and controls. All users includes students as well as staff.
If you have even just one cloud service that does not supply MFA or an alternative compliant form cannot be applied, you will incur 2 non-compliances for questions A7.16 and A7.17. Please see the marking guide below:
A7.14 – info only
A7.15 – info only
A7.16 – marked for compliancy. If A7.14 is a No, this will be a non-compliance
A7.17 – marked for compliancy. If A7.14 is a No, this will be a non-compliance
NOTE: This is not an instant failure of CE, you can have 2 non-compliances within CE and still pass as long as everything else is compliant within the submission.
Please also note: Should a cloud service offer MFA which is not implemented, this will lead to 2 non-compliances also (please see note above). This could be in the form of providing MFA at an additional cost and choosing not to uptake this as well as not turning it on and utilising it if it is available.
Plan B
As mentioned above, there are compliant alternative measures that could potentially be implemented, if a cloud service does not supply MFA. There are five options given, although out of these five, only the first four options are compliant with CE, the last option “Use of additional knowledge” is non-compliant.
In addition to the above, if any locally hosted services can be with Entra ID Application Proxy, then the users Entra ID along with Conditional Access controls such as MFA can be used to gain access to the integrated service(s).
SSO can be used but must be in conjunction with MFA being setup. Please see further guidance from the NCSC.
For cloud services, integration with SSO via SAML, if possible, will help aid the services without MFA here.
How does this affect CE+?
If you have cloud services that do not have MFA or cannot apply any of the alternative forms to that service, you will have to list these services within question A7.15. These services will not be tested within CE+, although will be checked as part of the CE self-assessment to ensure MFA is not offered by the provider just as with the services that are being listed as having MFA applied. If MFA is supplied by a provider at an additional cost, it is expected to purchase this and implement MFA on the service, although this can be costly. Essentially, only the cloud service(s) listed as having MFA applied will be checked in CE+. Any non-compliances in the self-assessment will not impact your CE+, as long as what has been said within the self-assessment is true.
Conclusion
MFA is a great additional security measure and crucial for enhancing the security of online accounts and systems, providing defence in depth, proof of identity and authenticity of accounts and ensuring the integrity of sensitive data. In order to not just meet CE controls and requirements, it is best practice to implement this when available. When going through procurement for new services, ensure MFA is top of the list of priorities for that system. Review current services and any that don’t have MFA provided, challenge those organisations and seek alternative services which do supply MFA as part of that service.