Update Safety standards for defense contractors have been lowered as a result of the coronavirus epidemic, the UK Ministry of Defense told suppliers.
In an industry safety advisory published In a dark corner of GOV.UK, the ministry said it was suspending the need for its suppliers to have Cyber Essentials Plus security certification.
“Organizations that obtain or renew CE + for a future contract will need to provide an electronic implementation plan. This should inform Defense that the supplier is committed to seeking CE + but cannot do so due to the resulting travel restrictions COVID-19 “, indicates the notice.
He added that it applies to all MoD providers “where the cyber risk profile is low, moderate or high”. The suspension is due to the fact that the success of CE + requires an on-site visit by an external evaluator, which is difficult to achieve while correctly respecting the advice of COVID-19 on social distancing from the government.
While CE + (and its less strict younger brother, Cyber Essentials) is more of a basic certification than the infosec equivalent of building Fort Knox, it is mandatory for companies bidding on certain government contracts – including many MoD.
Evaluators also perform basic pentesting and vuln-scan tests as well as configuration checks for each device, as an example of the National Cyber Security Center CE + test specification watch [PDF].
MoD press officer did not respond The register‘s questions.
Trust these guys, they were only raped once
Separately, in early April, the NCSC delivered an exclusive contract with the IASME certification consortium.
The IASME is now the only organization able to grant Cyber Essentials certifications to British SMEs, the number of awarding bodies having been reduced from five to one with the new contract. A jubilant IASME reported on his blog that NCSC had given him the keys to the realm of cyber certification due to previous “confusion” in the industry.
“The program, which is an important part of the NCSC portfolio, teaches businesses how to protect themselves from the most common Internet cyber threats and reassure their customers that cybersecurity is taken seriously,” said IASME. We expect the highest standards from an organization that is given such a serious duty, right?
Uh, about that. Three years ago, the IASME was subject to a data breach. A hacker discovered a configuration error in an IASME software platform that allowed them to extract the names and email addresses of the main security officials from companies seeking CE certification.
“This situation was not only avoidable, but it was actually caused by poor installation and configuration,” said a cybersecurity expert. Hopefully the IASME has toughened its law since then. ®
Updated at 9:03 a.m. UTC on April 22, 2020 to add:
Since the publication of this story, the Ministry of Defense has contacted us to say: “We have made temporary changes to our cybersecurity model to help potential suppliers, who may have difficulty obtaining CE + if external certifiers fail cannot perform certification away from their suppliers. Suppliers must always obtain CE and comply with other proportionate risk-based controls. “
Office 365 client-to-client migration tips