The Cyber Essentials Scheme has had its first major overhaul since IASME became the sole NCSC delivery partner in April 2020. Our Lead Assessor, Tony Wilson explains the new Evendine requirements.
Now that we have had the chance to assess a number of submissions, we thought we’d take the opportunity to highlight some misunderstandings and areas where we believe applicants may not have appreciated the planning involved to become compliant to the updated requirements.
Beacon vs Evendine
The first thing to note is the price difference. For Micro companies (1-9 employees) there is no change in price for Cyber Essentials Basic, however for larger companies there is a price increase following NCSC guidance that reflects the new demands on Certification Bodies who must now spend more time ensuring scoping has been fully understood and researching the multitude of Operating System versions, makes, models, firmware of laptops, desktops mobiles and firewalls to ensure such devices are capable of receiving security updates.
Like its predecessor, Beacon, the Evendine question-set takes its name from areas around the Malvern Hills – but don’t be fooled by the serene name – Evendine is, without doubt, far more demanding than previous questionnaires. It introduces new areas of compliance that applicants must fully understand ahead of submission. These include:
- The concept of sub-sets to help scope/descope systems (you can no longer descope a device via a firewall rule if it resides on the same network as in-scope devices).
- Cloud Services (including account separation and multi factor authentication)
- Device unlocking requirements
There is a major change to existing assessment criteria for high-risk vulnerabilities:
- The definition of a High risk vulnerability is now anything that has been declared as having a CVSSv3 score of 7 or above – regardless of exploit availability or complexity.
A key ambiguity has been clarified which now means that applicants (if they haven’t done so previously) must spend more time preparing asset lists of company owned and Bring Your Own Devices (BYOD):
- Makes and models of all the following devices must be stated:
- Laptops and Desktops
- Thin Clients (for information only in 2022)
- Tablets and Mobile Devices
Other ambiguities that have been clarified include:
- Password requirements now relate to all accounts – not just those that are internet-facing.
- Home routers are only in-scope if they have been supplied by the organisation.
What the changes mean to your company’s approach to becoming compliant
Scoping – the concept of sub-sets
Under Cyber Essentials Evendine, it is still possible to scope the “whole company” or a sub-set – however the rules around sub-sets have changed:
- Sub-sets must be segregated by use of either Firewall and/or VLAN.
- Sub-sets can be used to define in-scope devices or exclude areas of the business.
NCSC would prefer that organisations achieve “Whole company” wherever possible.
You can no longer de-scope devices by simply blocking their internet access via the boundary firewall if they reside on the same network as in-scope devices. In other words, even if you run a back-end Windows 2008R2 Server that has no connection to the internet, it would need to be moved to a sub-set.
To de-scope devices:
- To achieve “whole company”, move devices to a segregated sub-set (separated by VLAN or Firewall) and remove internet access from that sub-set.
To achieve “partial company”, you could:
- move unsupported devices to a segregated sub-set, give that sub-set a name (e.g. “workshop network”) and declare the scope as, e.g. “MyCompany Ltd excluding workshop network.
In this example, devices on that workshop sub-set must not be able to access any device on the other MyCompany Ltd networks, however as you are not declaring “whole company”, they would be able access the internet.
- Or, declare the scope as the sub-set and give it a name, e.g “Development network” and exclude the other networks that cannot access it, e.g. “Development network excluding workshop, corporate and training networks”. In this example, devices on the workshop, corporate and training networks must not be allowed to access the Development network.
Devices taken out of scope by moving them to a sub-set must not be able to initiate inbound connections to the in-scope network. They are, however, permitted to receive requests from in-scope devices.
After much anticipation, Cloud Services have now been included as a Cyber Essentials Evendine Requirement.
A cloud service, for Cyber Essentials purposes, is defined as a subscription (paid or free) service where the applicant controls who has access and/or administrative access over the cloud service. For example MS 365, Google workspace, Quickbooks, Dropbox etc.
Using the above definition would mean, for example, the Questionnaire Portal would not be counted as a cloud service as applicants do not administer users on this platform.
So, now it is clear what to count as a Cloud Service, you now need to be list them in the questionnaire.
The following questions are asked of Cloud Services:
- Do all users have Multi Factor Authentication (MFA)?
- Do administrators of Cloud Services have MFA?
- Are administrator accounts only used for administrator tasks and is a separate non-admin user account used for standard duties (such as reading emails in Office365, for example)?
Cyber Essentials Evendine applicants will not Fail certification in 2022 if all users do not have MFA – but only if there are no other areas of non-compliance on the questionnaire.
From January 2023 however, applicants will automatically Fail certification if MFA is not enabled on all cloud user accounts. We therefore recommend that planning starts straight away, especially for larger companies, to be ready for renewal in 2023.
This also means that those companies that previously scraped through with a non-compliance must now remediate this if they have not enabled MFA.
Unlocking codes for devices have been separated out from account password requirements.
This means that you no longer need to have an 8-character pass code to unlock a device and can opt for 6 characters if preferred.
Changes to assessment criteria regarding high-risk vulnerabilities
Until now, high-risk vulnerabilities were assessed in relation to an envisaged low-skilled attacker using freely available tools. So, even if applications scored 7 or above in the CVSSv3 scoring system, the vulnerability would be further analysed to see whether the attack complexity requirements were low and, if they were, a pass would be awarded.
This concept of complexity has now been removed so, under Evendine, any CVSSv3 score of 7 or more means non-compliance in Cyber Essentials Basic and, we believe, will come as a shock to Cyber Essentials Plus applicants who may have passed under Beacon with CVSS scores of 7.2 – if these vulnerabilities have not been remediated before renewal, a Fail will be awarded.
Listing the makes and models of Laptops, Desktops, Mobiles, Tablets, Thin Clients, Routers and Firewalls
There was an ambiguity within Beacon where the sample answer did not mention the model of the device (even though the applicant was asked for it). This has now been addressed and Evendine questionnaires will be returned if all makes and models are not specified.
The role of the assessor is to look-up all the devices listed and ensure that the firmware can run a supported Operating System.
Please be warned – this can be a major operation for larger companies – or even small companies – especially where personal devices (BYOD) are used to access company information.
We highly recommend that one of the first tasks that is undertaken, when applying for Evendine, is to assemble an asset list of every device that can access company information (including BYODs that access emails) and ensure they can run a supported OS.
For further information please see the NCSC Requirements for infrastructure.
Indelible Data are a highly respected Cyber Essentials Certification Body and have Certified over 2,500 companies to the scheme. We have produced the definitive guide to passing Cyber Essentials, for more information click here.