Another year, another question set and new updates on Cyber Essentials (CE).
Effective from 24th April, 2023, the new question set is called Montpellier, which sees only clarifications, with a light touch of the question set, unlike the major changes that were introduced last year for the current Evendine question set.
With the new question set comes a new requirements document, which will take effect alongside the Montpellier question set on 24th April. This document includes a table clarifying how third party and personally owned devices are in or out of scope for CE.
So, what are these clarifications?
- The biggest thing is the removal of the requirement to list the model of desktops, laptops, mobiles and tablets.
- Only the make and the operating system (OS) is required
- This has come in with immediate effect
- You can now summarise devices, e.g
- 100x Dell laptops running Windows 10 Education 22H2
- 50x macbooks running Monterey
- 50x Samsung mobiles running Android 12
- 50x iPhones running iOS 16 etc
- Where custom builds are in scope, please summarise for example, 10x custom builds running Windows 10 Education 22H2
- The model number of network equipment in question A2.8 is still required. This is to determine that these devices are still supported by the vendor/manufacturer and still capable of receiving firmware updates. There is no requirement to list the firmware version
Do note that the grace periods within the Evendine question set for questions A2.4.1 (thin clients), A6.7 (unsupported software) and A7.17 (multi-factor authentication, MFA), were further deferred from January 2023 until April this year. These will continue to be information only for the duration of the Evendine question set, but will be marked for compliance within the Montpellier question set.
Applicants signing up before 24th April will be able to sign up and complete assessments based on the Evendine question set, and therefore will have six months to complete the Evendine assessment. However, the three questions above will come into effect and be marked for compliance from 24th April. Changes to the question set will also entail how the MFA questions will be marked. The MFA questions A7.14 – A7.17 will stay the same, with some wording changes, but in the Montpellier question set, A7.14 and A7.15 will be information only and questions A7.16 and A7.17 will be marked for compliance.
The dates and deadlines for the Evendine question set are set out as follows:
Last day to create an Evendine CE Assessment account is 23rd April 2023 (Will be Friday 21st April as the 23rd is a Sunday)
Last day to complete an Evendine CE Assessment is 23rd Oct 2023 (this includes marking and any remediation)
Last day to complete an Evendine CE+ Assessment is 23rd January 2024 (including any required remediation)
Malware protection will see the biggest change this year. The sandboxing question, A8.6 (option C in A8.1), will be removed. In addition, there is clarification that all antimalware solutions are acceptable under the scheme. All next-gen antiviruses (sentinel one, crowdstrike, to name a few) are compliant as is XProtect for MacOS. Further advice has also been included on which malware protection is suitable for different types of devices.
There is clarification around device unlocking, where the brute force protections cannot be changed, such as mobiles that only allow manufacturer defaults, sometimes allowing for no more than the required 10 failed attempts for CE. It is now acceptable to allow for these as they cannot be amended.
As mentioned earlier, clarification on third-party devices and student devices has been made publicly available, with a new table within the requirements document showing what is in and what is out of scope for CE.
There will be the addition of a ‘None of the above’ option to multiple choice questions with the ability to add more information on what’s in place. Answering ‘None of the above’ will result in a non-compliance.
A major non-compliance will be referred to as a ‘non-compliance’ within the Montpellier question set.
The style, language and structure will be updated within the requirements document and the question set to make it a lot easier to read and understand.
There will be some information given with the requirements document around Asset Management, reiterating the effectiveness and importance of this, ensuring applicants are well aware of all devices accessing organisational data and services. There will also be some information on Zero Trust and what it means for CE.
Please see the NCSC and IASME blog posts outlining these clarifications in more detail.
For further support with CE, please do get in touch with our Professional Services team, or utilise our free drop-in clinics to ask questions of Jisc’s CE Assessors.