Cyber Essentials technical requirements updated with changes to malware protection, device management

UK National Cyber Security Centre says Cyber Essentials version 3.1 will take effect from April 24, 2023.

security automation robot protects defends from attack intrusion breach
Thinkstock

The UK’s National Cyber Security Centre (NCSC) has announced a technical requirements update for the Cyber Essentials scheme, a government-backed certification that helps UK organisations defend against common cyberthreats. The update involves changes to malware protection and device management and follows a major overhaul of the Cyber Essentials scheme in 2022. The latest update (version 3.1) will take effect from April 24, 2023, with all applications started on or after this date required to use the new requirements and question set.

Cyber Essentials version 3.1 sets out new security clarifications, guidance

Cyber Essentials version 3.1 includes changes and clarifications, alongside some important new guidance. The updated requirements set out by the NCSC include:

  • Malware protection: Anti-malware software will no longer need to be signature based, and the NCSC has clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.
  • User devices: Except for network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. The NCSC has removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.
  • Clarification on firmware: All firmware is currently included in the definition of “software” and so must be kept up to date and supported. Following feedback, the NCSC has changed this to include just router and firewall firmware.
  • Third-party devices: More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated.
  • Device unlocking: Changes to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use default settings.
  • New guidance on zero-trust architecture for achieving Cyber Essentials and a note on the importance of asset management.
  • CE+ testing: The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of malware protection tests.

“All these changes are based on feedback from assessors and applicants and have been made in consultation with technical experts from the NCSC,” the NCSC wrote. As well as the updated requirements and new question set, NCSC’s Cyber Essentials delivery partner IASME is also providing more guidance to help applicants during the certification process. “This includes articles to help applicants understand the questions, as well as access to a dedicated knowledge base. These resources will become available over the coming months.”

Changes to malware protection requirements most significant for businesses

Cyber Essentials certification provider Richard Andreae tells CSO that whilst the updates are generally minor, the changes regarding the treatment of malware protection are significant for businesses. “This now takes into consideration other alternatives that businesses seek out to protect their devices and networks. Previously, malware protection was based on traditional signature-based detection; now, other solutions can be considered,” he says. What is asked for is that, if you use anti-malware software to protect your devices, it must be configured to be updated in line with vendor recommendations and prevent malware from running, the execution of malicious code, and connections to malicious websites over the internet, Andreae adds.

“When auditing systems as part of Cyber Essentials Plus, businesses using the alternative methods would previously have struggled to meet the requirements and have, in some cases, had to revert to signature-based detection to get through. This change should be welcomed by a lot of businesses that use alternative malware detection and response software and will hopefully increase the adoption of the UK’s baseline for cybersecurity.”

Copyright © 2023 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)