The Cyber Essentials scheme is going through the biggest overhaul since its inception back in 2014. The newest update (named Evendine) goes live on the 24^th January 2022 and heralds the arrival of a number of changes, including the increased coverage of cloud services, introduction of device locking requirements and new password criteria. Some of these changes go live immediately while others come with a grace period.

In this guide we’ll summarise the top 10 major changes that Evendine will deliver and highlight what organisations need to do to meet the requirements of the updated Cyber Essentials scheme.

Summarising the Scheme Changes

Clarity on Home-Worker Devices

The Cyber Essentials Standard has been updated to include clear definitions of what is, and isn’t, in scope concerning the devices of home workers:

• Both BYOD and corporately owned devices that are used for business purposes within the home location will be in scope for Cyber Essentials.
• Routers that are owned by home workers or provided by their internet service provider (ISP) are out of scope. In this case the devices of home workers on the network will need to have a software firewall configured (meeting the Cyber Essentials firewall controls).
• Routers that are supplied by the applicant organisation will be in scope.
• Where a home worker is using a corporate VPN (which tunnels all data in transit through the applicant organisation’s network perimeter firewall), the home worker’s device internet boundary will the applicant organisation’s network perimeter firewall.

SaaS and PaaS Cloud Services Now in Scope

Arguably the biggest change to the Cyber Essentials scheme this year is that the scope now encompasses Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) cloud solutions that host organisation data and/or services. Previously the scope only encompassed Infrastructure-as-a-Service (IaaS), which meant that the security of highly adopted cloud solutions such as Microsoft Office 365 and Google Workspace was not in scope.

Cloud services are not secure by default and the changes to the scheme insist that organisation’s take responsibility for the user access control and secure configuration of their services including:

• Ensuring that the Cyber Essentials firewall requirements are sufficiently implemented.
• Ensuring that access to administrator accounts and organisation resources are restricted only to users that require it to fulfil their role.
• Ensuring that sufficient malware protections are in place.
• Ensuring that the underlying infrastructure meets the Cyber Essentials security updates requirement.

Cloud Services Must Enable and Apply Multi-Factor Authentication

In addition to the requirements introduced above, multi-factor authentication (MFA) must be enabled on all cloud services where the option is available. Once enabled, the organisation must ensure that MFA is also applied to user accounts. Please note that this requirement only applies to administrator accounts currently but will also include non-admin user accounts as of January 2023. In summary, where a cloud service has the option for MFA:

• All administrator user accounts must have MFA applied.
• Non-administrator user accounts are not required to have MFA applied immediately but organisations should begin working towards ensuring that all user accounts have MFA enabled as the requirement for MFA will come into effect in January 2023.

Clarity on Scoping Thin Clients

Thin clients have been in scope under the Cyber Essentials scheme for a while, however, they were often overlooked as they weren’t explicitly mentioned in the questionnaire. The questionnaire now has a dedicated question to ascertain whether any thin clients now fall into scope. A thin client is a simple (low-performance) computer that has been optimised for establishing a remote connection with a server-based computing environment

Please note that there is a grace period for thin clients to be supported and receiving security updates and the requirement will be marked for compliance from January 2023.

Clarity on Scoping Mobile Devices

Evendine hasn’t changed the requirements for mobile devices but this update includes a clearer definition on when mobile devices are in scope. Mobile devices (smart phones and tablets) will be in scope where they connect to any organisation data or services (including access to emails).

Please note that mobile devices will fall out of scope where they are only used for one or more of the following purposes:

• Native voice communications (Voice calls).
• SMS (Text messages).
• Multi-factor authentication (e.g. via text message or MFA applications).

Servers and Licensed/Supported Software Definitions Added

The Cyber Essentials Standard now clearly defines servers as well as licensed and supported software.

A server is defined by IASME/NCSC as ‘specific devices that provide organisational data or services to other devices as part of the business of the applicant.’

Licensed and supported software is now defined as ‘software that you have a legal right to use and that a vendor has committed to support by providing regular updates (patches). The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.’

‘Sub-Set’ Clearly Defined When Removing Devices from Scope

When completing the Cyber Essentials certification, the applicant organisation is able to outline a sub-set of the organisation that is in scope, allowing them to de-scope certain networks and devices. A sub-set is now clearly defined as ‘a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.’

Please note that only a sub-set of the organisation infrastructure that is clearly segregated as described above can be removed from scope. It is not possible to remove individual devices from scope unless they are encompassed within the de-scoped sub-set of an organisations infrastructure.

Device Locking Requirements Introduced

Device locking requirements have been introduced for devices whose services can be accessed physically (i.e. workstations and mobile devices) but only where the credentials used to log in are only used for that physical login. This means that workstations connected to Active Directory for example will have to follow the more robust password requirements (explained below).

Devices that fall under these locking requirements (predominantly mobile devices) will need to meet the following criteria:

• Devices must be locked with either a biometric, password or PIN authentication mechanism (password/PIN needs to be at least 6 characters long) AND EITHER
• The time the user must wait between failed login attempts increases with each subsequent incorrect attempt (permitting no more than 10 guesses in 5 minutes) OR
• The user must be locked out of the device after no more than 10 unsuccessful attempts.

New Password and Multi-Factor Authentication Requirements

New password/MFA requirements have also been introduced to increase protection against brute-force password guessing attacks. When implementing password-based authentication one of the following protections needs to be implemented:

• Using multi-factor authentication.
• Throttling the rate of login attempts. The time the user must wait between failed login attempts increases with each subsequent incorrect attempt (permitting no more than 10 guesses in 5 minutes).
• Locking the account after no more than 10 unsuccessful attempts.

In addition, one of the following technical controls must also be used to manage the quality of passwords:

• Enforcing a minimum password length of at least 8 characters with no maximum length restrictions WHERE multi-factor authentication is in place for the service.
• Enforcing a minimum password length of at least 8 characters with no maximum length restrictions WHERE passwords are automatically checked against a list of common passwords and prevented from being used.
• Enforcing a minimum password length of at least 12 characters, with no maximum length restrictions.

Changes to the Classification of High/Critical-Risk Vulnerabilities

Applicant organisations are still required to apply updates for high and critical-risk vulnerabilities within 14 days of release, however, the scheme’s definition of high and critical-risk has been changed.

Previously the scheme required that vulnerabilities meet certain CVSS calculation parameters (in addition to the CVSSv3 severity score) to be classed as a high or critical-risk vulnerabilities. However, these parameters are no longer considered when determining whether a vulnerability is high/critical risk under the scheme.

As a result, all software updates need to be applied within 14 days of the update being released, where:

• The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
• The update addresses vulnerabilities with a CVSS v3 score of 7 or above
• No detail about the vulnerabilities the update fixes is provided by the vendor

Predatech is a CREST accredited cyber security consultancy and Cyber Essentials/Cyber Essentials Plus Certification Body that offers fully supported, end-to-end certification. Please contact us if you’re interested in a free consultation.