User Access FAQ Source
- Joe Checketts
|
|
|
|
|
|---|---|---|---|---|
ACC_SEPARATION | UA0001 | Some developers need local admin access to compile, debug and check-in source code changes using their standard account. Would this be a auto-fail and if yes, how do organisations manage their local admin privilege needs for development team members? | There are lots of different ways you can manage it. You can use group policies as one way that you can achieve this. It wouldn't be an automatic failure of Cyber Essentials, but you would have problems should you wish to go ahead and undertake CE plus assessment. So one of the core controls is that you need to have account separation between standard users and administrators and if that can't be achieved, we've suggested to descope the developer network. That is a method that you can use to move it out of scope. Obviously it's best practice to get as many of the controls as you can to apply to that descoped portion of the network. If you really can't achieve it, then the best option would be to create a developer network and descope it from the assessment. | CHANGES |
ACC_SEPARATION | UA0002 | Are Admin by Request or Microsoft's newly announced Endpoint Privilege Management a suitable solution to handle local administrator access on user devices? For a large enterprise with thousands of users, each of our developers and users requiring admin rights having multiple accounts (Privileged & productivity) is simply not possible. | Admin by Request can be configured in various ways however this does not mean it is compliant. | CHANGES |
ACC_SEPARATION | UA0003 | What do we do if a user needs admin rights to their pc to carry out their role? | They must use separate accounts for admin | CHANGES |
ACC_SEPARATION | UA0075 | Hello all, I am having trouble in locating information whether all shared accounts are not permitted, full stop, or if it only applies to user devices and/or admin accounts? | Shared accounts are not compliant with Cyber Essentials scheme.
| LinkedIn_280723 |
ACC_SEPARATION | UA0080 | I have another scenario that's proven to be a point of debate - meeting room PCs in shared office facilities. i.e. there's a videoconf PC in a meeting room that's shared between multiple tenants in a managed office facility. Both the company managing the facility and the tenants (all different companies) need to be able to use this PC to facilitate hybrid meetings. The meeting rooms are also bookable by external third parties. The key element here is that there's no shared authentication domain across all users, BUT - the videoconf hardware (wide angle camera, boundary mic etc) needs to be connected to a PC with the appropriate software. | As the Delivery Partner to the NCSC we must remain impartial to all assessments. | LinkedIn_280723 |
ACC_SEPARATION | UA0087 | I'm interested to know how other organisations are managing administrator accounts on Windows PCs. How do you manage this within your organisation? | All Administrator accounts need to be approved by a person of authority. | LinkedIn_280723 |
ACC_SEPARATION | UA0092 | I have a customer who develops IIS web applications using Visual Studio. The VS documentation states “You must run Visual Studio as an administrator in order to work with IIS” and they also need to access Internet repositories. Any suggestions as to how they could satisfy the account separation requirements? (apparently giving their user account full control over the IIS folders/files doesn't work). | 0 | YAMMER_280723 |
ACC_SEPARATION | UA0098 | I am working through the self-assessment CE certification and believe we are on track, however, I have hit a snag with the ‘shared user account’ requirement. I have 3 logon account types which I’m scratching my head over.
These processes can not be converted to run as non-interactive, and running these processes as an individual puts us in a position of ‘single point of failure’ position.
| 1/2 Shared accounts are not compliant with Cyber Essentials scheme. The use of unique accounts is required by all users and administrators.
You would have to sub-set these devices. | LINKEDIN_290923 |
ACC_SEPARATION | UA0101 | Re: A7.2 Are all user and administrative accounts accessed by entering a unique username and password? | Shared accounts are not compliant with Cyber Essentials scheme. | LINKEDIN_290923 |
AUTHENTICATION | UA0004 | When using third-party cloud services (such as 365) is it acceptable to use one centralised mobile device owned by one user to retrieve the authentication code, even if there are various users using the system? | Yes, it's acceptable but perhaps not advisable, for example - what happens if you lose the phone? You need to consider various scenarios and what might happen if problems occurred. | CHANGES |
BYOD | UA0005 | Many charity based organisations rely heavily volunteers who use their own personal devices to access services like email etc. Management of the volunteers device is quite expensive to license and is financially quite impactful to the charity. Is there any guidance on how best to deal with volunteers to bring them inline with CE requirements without having significant financial implications to the charity? | We get lots of questions about this and we know BYOD for volunteers is a difficult issue to deal with. Those devices can still present a threat to the organisation because in many charities etc they are known to have access to email systems. Often we have seen volunteers through their BYOD devices having access to their personal information via case management systems, etc. If they're connecting to a cloud service you need to look at what's called a conditional access policy and look at your cloud services where this can be applied at the level of whether the operating system of the device is supported or not. There is then the option to apply and inform your users with written documentation. About the other controls that need to be applied, we can't allow just documented policy to be the only solution in this scenario. There needs to be some element of technical control, so monitoring whether the operating system is supported and up to date is the way to do that. We have spoken to charities over this and had positive feedback and actually what’s worth doing is investigating your cloud services because many cloud services allow this. Office 365 or MS365 Google Workspace offer this, we've seen this with some Citrix products that are often used in these organisations and that is one area we will be writing further guidance on because we recognise this is an issue. But we cannot just exclude volunteers devices, they can still present a threat like any other organisation using BYOD. | CHANGES |
BYOD | UA0006 | What are all the controls expected on BYOD devices where users are accessing emails and chat modules , How these are going to be assess by auditor | 0 | CHANGES |
BYOD | UA0060 | If an Organisation has a policy that we do not allow BYOD, is a technical control needed to stop unauthorised BYOD? | That would be something that the organization needs to find a solution to, but you have the general rule of thumb that if they're not allowing BYOD, you'd be monitoring or your cloud services would not allow them to connect. So you'd only be allowing authorized devices supplied by the organization.You would be having to monitor that and again it comes down to asset management - your understanding of how and which devices are connecting to your cloud services. | DigitalLoft240423 |
BYOD | UA0062 | So the need for controls on BYOD devices used to access VDI is due to a vulnerability in the way VDI is implemented? (soimething was said about session being left open?). Can you clarify/confirm? | Client access software needs to be on a supported operating system and that client access software must be kept up to date and updated with all their latest security updates. So we are listening and looking at what the vendors do regarding this. There are known vulnerabilities carried out by commodity attacks against devices trying to access those sessions and screen recording those sessions, there's a number of published attacks that happened on Dell Wyse terminals that took place, so that is why BYOD are in there as evidence. And we've not shared all the evidence or all the vulnerabilities. When we discussed this with the NCSC subject matter experts, those devices must remain in scope because there are known commodity Internet attacks taking place against them. | DigitalLoft240423 |
BYOD | UA0076 | We are a small charity and currently our Board of Trustees access board papers and other related documents in Microsoft Teams using their BYODs. As they are Trustees and access our Teams environment we understand that their devices are in scope for Cyber Essentials. We would like to remove all BYODs from accessing our internal systems and are looking at other ways to give the Board easy access to papers. If we were to set up a separate SharePoint site, just for Trustees, where they have read only access to documents would this be classed as a web portal and therefore be out of scope for Cyber Essentials? Thank you in advance. | 0 | LinkedIn_280723 |
BYOD | UA0096 | I'm hoping someone can offer some advice around employee BYOD devices in a CE+ assessment. | 0 | YAMMER_280723 |
CLOUD_SERVICES | UA0007 | During our CE re-certification we had a lot of back and forth with the assessor about declared "Cloud Services". However, these are poorly defined in the guidance doc. It might have saved a lot of time had these been better defined from the start. Some were judged to be "web apps" but we were not really any the wiser as to how this distinction had been drawn. Any suggestions? | A working definition is ‘a cloud service is where an applicant subscribes to a service (either paid or free) and controls who has access and/or carries out administrative duties'. | CHANGES |
CLOUD_SERVICES | UA0041 | How will we be audited around the SaaS solutions that are in use in the firm? | SaaS solutions need MFA for all users and this would be checked under CE+. Some elements of secure configuration may be under your control with SaaS. | LITIG |
CLOUD_SERVICES | UA0043 | We have some cloud services using 2FA not MFA is that sufficient to meet the requirements? | Yes. 2FA adds an extra factor beyond the standard login and is considered a type of MFA. | LITIG |
CLOUD_SERVICES | UA0063 | The "cloud" in relation to cloud services is quite a vague statement. What exactly is a cloud service in the context of CE? All services held on the internet or a specific criteria of cloud providers? | A cloud service is where an applicant subscribes to a service (either paid or free) and controls who has access and/or carries out administrative duties. This has been clarified on the slides just now and we hope to produce this wording which can be used in a blog shortly. | DigitalLoft240423 |
CLOUD_SERVICES | UA0065 | Does cloud services and MFA include ZTNA access systems? | Zero Trust Network Access(ZTNA) is a solution to facilitate Zero trust in an organisation. As included in the V3.1 of the CE requirements the NCSC Zero Trust Model includes all the controls of CE, so any ZTNA solution would be in scope. | UCISA |
CLOUD_SERVICES | UA0066 | How do cloud services like O365 fare in this? If an academic with his own laptop ONLY wants to access our O365.... do we need to control the device? With zero on-site access. | Office365/MS365 needs to be configured to match the requirements outlined in the CE requirements. | UCISA |
CLOUD_SERVICES | UA0083 | Has anyone had Windows365 VMs go through CE? We're just deploying some (only 2) and coming up for CE renewal. | As long as both the VM and the cloud service have the controls applied and are supported, then there should not be an issue. | LinkedIn_280723 |
COMMENT | UA0067 | Students and staff have different access rights, obviously, but they both come from the same directory. | The accounts used to access systems and data are covered by the User Access control. How you configure directory, file and folder structure is not covered by CE. | UCISA |
DEVICE_LOCKING | UA0058 | DEVICE_LOCKING | It is meant as you can only log in to that device as opposed to using a device on a network where you could login to an AD machine through any device. | DigitalLoft240423 |
DEVICE_LOCKING | UA0059 | For device unlocking, ref A.5.11 - please can you put in context "used solely" to access the device and when would you defer to 12 character password - looking for context | When you're ONLY unlocking the device, that is when the device unlocking controls must be applied. When you are logging into something that's connected to a network, an Active Directory network for example, that is when you would use the 12 character password or the other controls - minimum 8 character with a password deny list enforced, or 8 characters. And of course MFA. | DigitalLoft240423 |
DEVICE_LOCKING | UA0077 | In the requirements document it states that "If credentials are just to unlock a device, use a minimum password or PIN length of at least 6 characters". | All users will need a unique 6 digit PIN/Password solely for unlocking their devices. | LinkedIn_280723 |
DEVICE_LOCKING | UA0086 | Is it possible to use a reMarkable 2 tablet within Cyber Essentials? I've been hearing murmurs they only support 4-digit PINs. | The scheme is required to be vendor neutral and not permitted to offer any approval or endorse any solution or product. | LinkedIn_280723 |
MFA | UA0008 | 2FA on 365. We had multi-factor on all accounts set at tenant level and on Microsoft's advice had to remove this and move to a manual model where its set separately on each account as we have accounts for SMTP feeds from devices and systems that cannot be authenticated via 2FA .. how can we get around this? | MFA should be activated for the whole tenant as not doinf this exposes the whole system. | CHANGES |
MFA | UA0009 | As a school it is not possible for us to implement MFA for all users on all cloud services (i.e. Office 365). This would create a serious barrier to learning for our students. All staff have MFA implemented. Can you suggest a way that we can still be compliant with the new requirements of CE? | For CE you can implement MFA by only allowing access via a trusted device/network which a lot of schools have moved to. The top 4 methods of MFA listed here are acceptable - https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services. | CHANGES |
MFA | UA0010 | As a school it is not possible for us to implement MFA for all users on all cloud services ie office 365. This would create a serious barrier to learning for out students. All staff have MFA implemented. Can you suggest a way that we can still be compliant with the new requirements of cyber essentials? When you say this you can't set the scope for every student at home on their individual router - it's just not possible. How can you implement this as how can young kids know how to authenticate on their device - its just not possible. | There are a number of ways that you can apply multi-factor authentication. I put a link to a blog earlier in the in the chat. This announcement is a link to NCSC guidance about MFA and how you can apply it. So if you look at that guidance there's five ways listed in there, but Cyber Essentials will only accept the top four. So that's using a managed enterprise device as an extra factor, using an app on a trusted device as an extra factor, using a physically separate extra factor or using a known or trusted account as an extra factor. Those are the ways that you can apply MFA. It's not just using something like a mobile phone or linking into a router belonging to the home device. Obviously unfortunately, where this isn't possible we know that we'll create barriers for some people. You can still pass the assessment. You'll be taking one non-compliance for not being able to apply it to all standard users. It shows that you're not meeting the controls. It shows that you're recognizing and we're informing you that there are areas of weakness within your infrastructure. Unfortunately. It's not compliant for the scheme because everyone must authenticate using MFA and it would be down to business decision of the school as to what controls you put in, what services you're providing to your students . This is a common issue as we develop technology. Obviously the security needs to keep up with the availability so I understand that's probably not the most helpful answer. But take a look at that article, see what can be done and see what you can do to beat this and also really make sure that your students and your services are as protected as they can be and remain compliant with the scheme. | CHANGES |
MFA | UA0011 | Can you please provide guidance on MFA requirement on Firewalls ? | Firewalls should be protected by MFA where possible - see NCSC document | CHANGES |
MFA | UA0012 | Can we use conditional access policies within Office 365 to control what users can access in terms of services and data if they can't use MFA? For example, conditional access, only allowing them to access Office 365 apps and data if they are using a work computer and from the company network only and denied from all other locations and devices? | Yes, conditional access is an option, although MFA should be used where possible. See NCSC doc | CHANGES |
MFA | UA0013 | Can you please provide a definition of what is classed as a cloud service .v. a web app? As we have about 200 potential services? | It's usually taken to be where you subscribe to a service whether paid or free and have some sort of administrative control- creating/deleting accounts, assigning access, setting configuration, etc. | CHANGES |
MFA | UA0014 | Cloud services extend to what definition - services that clients use that are not owned by the company (e.g. Land Registry) or just services that the company own/purchase for access, such as Foldr? | It's usually taken to be where you subscribe to a service whether paid or free and have some sort of administrative control- creating/deleting accounts, assigning access, setting configuration, etc. | CHANGES |
MFA | UA0015 | Do we need to enforce MFA to our customers as our product is a SaaS cloud service? We have SSO in place but we don't enforce it. | Your customers do not come into it for MFA, but because you are offering that cloud service, if they're getting CE, they will need to have MFA applied to their application credentials. So this means that you would probably get quite a lot of customers coming back to you asking that MFA be made available. For SSO, when we talk about authenticating by MFA, that just means the authentication method of that cloud service needs to use multi-factor authentication. If you want to do some kind of SSO or federated access it's really different names for the different ways that you can do it. The main thing is to think about whose organisational service it is, who's organisational data it is, and if that organizational service is part of the cloud service, then that must be authenticated using MFA for the applicant. | CHANGES |
MFA | UA0016 | Does MFA need to be triggered at every sign in on cloud services or can it be periodically? | It does not have to be triggered at every sign on, and can be periodically - depending on how the MFA is setup. | CHANGES |
MFA | UA0017 | For connection to M365 can MFA be implemented once a week or does it have to be implemented at every logon / connection? | It doesn't have to be every time, but it needs to be configured on the user account - you can't be selective with which users have MFA, it must be applied to the whole tenant. But we don't set any conditions about the time limits or how often. | CHANGES |
MFA | UA0018 | For enforced MFA for "all users of cloud services" - does this apply to customers of our organisation who also use the cloud service to engage with us? | It does not include your customers for your assessment, but if they are subscribing to your product and it is a cloud service to them, then they would need to have MFA applied for their assessment if they had CE. | CHANGES |
MFA | UA0019 | For IT staff with admin access in an on-prem non-hybrid Windows network, MFA implementation can be tricky and/or expensive. Is it mandatory for all admin access in this scenario? | MFA is mandatory for all cloud service admin access. | CHANGES |
MFA | UA0020 | Further clarification, this system would not be sold or offered to customers. It would be an internal application, but hosted on the web. The application would still enforce minimum password complexity.(Is it possible to get further clarification on the difference between a Web Application and a Cloud Service? We feel its not clear, if we develop a web hosted application, which does not leverage MFA for standard users, can this lead to a CE failure? ) | 0 | CHANGES |
MFA | UA0021 | Google Workspace doesn't allow bypassing of MFA for trusted networks. It requires MFA to be used everywhere and anywhere once MFA is enabled. How would we achieve certification for student accounts when we are not able to do this? | We do not usually give advice on individual configurations for software, but we do now have licensed Cyber Advisors (CE) that can help you get through this and come up with potential solutions.One potential solution is setting up authentication via Azure. https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial | CHANGES |
MFA | UA0022 | Hi, if a cloud service does not provide MFA (or SSO), does that mean we are at risk of failing our assessment? | You will be asked to list the cloud service that does not offer MFA. It will still be possible to pass the assessment but you will have to be compliant in all other questions. | CHANGES |
MFA | UA0023 | Hi, our college has a futures area where some students are looked after during their time at the college, they use computers and Google classroom. Most of these students will most likely not have mobile phones for MFA, how would we go about setting this up. | There are a number of ways that you can apply MFA. The NCSC document linked here https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services provides the details under 'Choosing extra authentication factors" | CHANGES |
MFA | UA0024 | if a service or portal that a client uses does not offer MFA to be enabled/setup does this mean we have to move services away from this provider to one that does, thinking of questions A7.15-A7.17 | All cloud services must authenticate using MFA. If they do not offer MFA themselves, but they can be configured to authenticate through another that does use MFA (like SSO) this is acceptable. If you can not authenticate using MFA then you will receive non-compliances against A7.16 and A7.17 (A7.14 and A7.15 are being changed to info only and so it is still possible to achieve CE as long as everything else is compliant). | CHANGES |
MFA | UA0025 | If MFA requirements are met at log-in, does that authentication automatically carry through to any SSO applications? | The underlying authentication system must have MFA enabled to be compliant. | CHANGES |
MFA | UA0026 | If online login is disabled on a O365 account and users only use Outlook on their office computers within the network whilst in the office. Is MFA still expected for those particular users? | That would depend on how it's implemented. It's a cloud service at the end of the day, so MFA would need to be applied to those accounts. | CHANGES |
MFA | UA0027 | If you are providing students access to a cloud service then these accounts must have MFA. You can still achieve CE, but will pick up 1 x non compliance. With the 1x non compliance would you still be able to achieve CE? | Yes that is correct. | CHANGES |
MFA | UA0028 | If you host a VPN is 2FA Required | MFA should be activated where available | CHANGES |
MFA | UA0029 | In response to the reply, we set up accounts on Land Registry for our offices to use, but Land Registry (run by the Government) don't offer MFA for the end user, only for the admin user(Jon (Unverified) asked "Cloud services extend to what definition - services that clients use that are not owned by the company (e.g. Land Registry) or just services that the company own/purchase for access, such as Foldr?") | 0 | CHANGES |
MFA | UA0030 | MFA - Service accounts would have to be excluded from MFA (especially in a hybrid environment). How do we exclude these from scope? | Service accounts must be set up using MFA where possible. | CHANGES |
MFA | UA0031 | Microsoft 365 sets up MFA for all users but DOES NOT *require* MFA login unless it identifies a security anomaly e.g. logging in from a different country. Is this compliant or must MFA be *forced* each and every login? | MS365's method is acceptable. The test would be to attempt to login from an untrusted device / network which you can do through an incognito browser. You should then be challenged for MFA. | CHANGES |
MFA | UA0032 | Much like Jake, our school uses Google Workspace and it would be highly costly and very, very difficult for us to implement MFA for student accounts. Again, is there any way we would still be able to achieve certification under the new requirements if student accounts don't have MFA? | If you are providing students access to a cloud service then these accounts must have MFA. You can still achieve CE, but will pick up 1 x non compliance. | CHANGES |
MFA | UA0033 | RE CLoud Services MFA requirement. What happens if the service does not support MFA (or SSO)? Either have any support whatsoever. Or if the MFA/SSO support is only offered on Enterprise tiers. Which are generally ridiculously priced. We've seen 500% increases just to get MFA/SSO. Can a business accept the risk with a business case/risk assessment? | If your service does not provide any form of MFA or SSO, or the provider asks you to pay for MF, unfortunately it's NCSC guidance that you should be applying MFA where it's available, so the rules are if you've got SSO you must deploy it and then make sure that MFA is on that. And buy or pay an additional fee just to have MFA, you'll need to do that now. We've seen that with some procurement systems in the public sector and it may not ethically be right, but it does mean you are better protected when you have MFA on those services. Where a service has no MFA at all, we ask you to list that. We will be collating that data and the NCSE and IASME will be using that data to try and put pressure on those cloud services where it's not available. MFA is throughout NCSC guidance and we have to remember it is their guidance that forms the controls in Cyber Essentials. MFA is a crucial part of providing protection to your cloud services so we will be looking at that. We will continue to monitor this, but there is no Intention about risk appetite or letting a risk judgment be placed on the applicant. Mitigated for by the controls in Cyber Essentials because Cyber Essentials is based on a risk assessment which is looking at the cyber security for the UK by the NCSC. So they carry out the risk assessment. These are mitigations, but we do recognise there are issues around MFA where some cloud services actually don't have MFA available. So you may be marked down for not having it available, but it will not cause an automatic failure of Cyber Essentials. | CHANGES |
MFA | UA0034 | Should MFA be in place for admin accounts (separate from normal accounts) that can only be used internally? | MFA should be activated where available | CHANGES |
MFA | UA0035 | We run a grants application system for public users and it is cloud hosted. MFA is not possible for these users, so does that mean we would not be compliant? | It would depend if you consider this as a cloud service or as a web portal. A definition for this will be getting pushed out publicly shortly for this, but we would determine this as: A cloud service is where an applicant subscribes to a service (either paid or free) and controls who has access and/or carries out administrative duties. | CHANGES |
MFA | UA0036 | What happens if a business has a lob SaaS product with MFA which requires the lob mobile app. Basically requires all staff to have a mobile devices running the lob app for MFA? The SaaS product doesn't support SSO | We would advise activating MFA wherever possible | CHANGES |
MFA | UA0037 | Where we have students with severe learning difficulties, is there scope around MFA to assist them sign in? Many don't have mobile phones or have the capability to manage MFA | There are several methods that can be used for MFA. See https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services for the details under "Choosing extra authentication factors" with the top four being the acceptable methods (managed device, trusted app, physical factor, and trusted account) | CHANGES |
MFA | UA0038 | Will our SaaS application that is used by external users, i.e. not employees, need to enforce MFA for those users? | If it's not the users of the organisation that certified and they're not accessing that organisation’s organisational data or service, they're not included within the scope of their assessment. However if they're subscribing to that Saas application, and they then need to carry out their own CE assessment, it would be included within their scope so they would need to have MFA applied. So this means that if you are a cloud service provider providing a SaaS application, you may get a lot of your customers coming to you requesting that MFA is added to that service. | CHANGES |
MFA | UA0039 | Would SSO/MFA be required for inhouse developed apps that are hosted on site systems and not cloud environments? | If internally hosted it wouldn't be a requirement. It's an option as a method to prevent brute force. You can use one of the alternative methods of brute force protection, but MFA is one of them. Especially if you're developing it and it's going to become a fully fledged cloud service in the future it would probably be a good idea to include that. | CHANGES |
MFA | UA0040 | What happens if a business has a lob SaaS product with MFA which requires the lob mobile app. Basically requires all staff to have a mobile devices running the lob app for MFA? Add a note to my question, the SaaS product doesn't support SSO (What happens if there is a lob SaaS product with MFA but only to a lob mobile app ? | 0 | CHANGES |
MFA | UA0042 | What methods of MFA are acceptable to secure SaaS solutions or indeed cloud solutions more generally? | There are four methods of MFA that the NCSC allows which are detailed in https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services under ’Choosing extra authentication factors’. These are managed device, app on trusted device, physically separate extra factor, and trusted account. Using an extra piece of information is not compliant as this is considered vulnerable to the same types of compromise as passwords such as guessing, brute force and interception. | LITIG |
MFA | UA0044 | How can we enforce cloud services to set up MFA? | If a cloud service does not provide MFA, please provide the details in the relevant section of the assessment (A7.15). | LITIG |
MFA | UA0045 | Would A7.16 and A7.17 be answered as No even if MFA is not available on some cloud servers? | Yes - if it’s not available they still have to answer No. The question is whether it’s enabled for users and administrators, and if not, they are not compliant. We understand there has been some confusion over this and will look at updating the marking guide to clarify this. | AW260723 |
MFA | UA0046 | 0 | MFA: A7.14 and A7.15 is asking about the cloud service. It’s information only. | AW260723 |
MFA | UA0047 | For A7.16 and A7.17 why does the marking guide still say ‘where MFA is available’ | This is the one we were speaking about earlier, yes, we know it’s wrong, yes’ we’ll speak to Neil about it and we hope to change it. | AW260723 |
MFA | UA0048 | A client has to upload tender submissions to an MoD cloud portal. They have an admin login and can set up accounts for other users to work on the tender. The portal does not have MFA and the MoD have not been very helpful in answering my questions. My client does a lot of work with the MoD so there is no alternative. In this case what are they supposed to do? | They can still achieve CE but all other areas must be compliant. If they move onto CE Plus and have declared this service as not having MFA, then it will not be tested as part of their audit. | DigitalLoft240423 |
MFA | UA0049 | Cloud Apps - Is it a fail if ONE cloud app does not have MFA? (talking about CE+ here, rather than basic CE) | It is not an automatic failure, if MFA is not available from the cloud provider. | DigitalLoft240423 |
MFA | UA0050 | How can we enforce cloud services to set up MFA/2FA/SSO where they are not a direct supplier to us? For example where a client sends a link to DropBox, or We Transfer in order for us to access or share documents with them but we do not have a contract for DropBox or WeTransfer? | f the client is requesting that you use Dropbox or weTransfer, it would be their responsibility to set up MFA. Dropbox has MFA, and it if was your instance you would expect to be logging onto MFA yourself, and where possible for the clients. But they may be using their own account to access Dropbox, meaning they would be the only people who can configure the MFA. | DigitalLoft240423 |
MFA | UA0051 | Is SSO an acceptable alternative to native MFA with a cloud solution, if the identity provider being linked to for SSO supports MFA (E.g. Azure AD)? | We would not say this is an alternative, but as long as a cloud service uses SSO to authenticate and that authentication method uses MFA, this would be compliant. The reason we are asking people to tell us which cloud services do not support MFA is so we can identify any major suppliers who do not. We hope to then encourage them to introduce it. | DigitalLoft240423 |
MFA | UA0052 | Just to respond, I didn't get an answer RE if SSO is acceptable alternative to native MFA with a cloud solution, if the identity provider being linked to for SSO supports MFA (E.g. Azure AD) | The authentication method must use MFA. So if you can use SSO to authenticate through another cloud service that does provide MFA, this is acceptable and compliant. | DigitalLoft240423 |
MFA | UA0053 | Is Windows Hello with the device as the 2nd factor an acceptable MS365 MFA configuration? | If the devices is considered as a managed enterprise device then this would be acceptable https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services . The top 4 methods in this article can be utilised. | DigitalLoft240423 |
MFA | UA0054 | Isn't the marking scheme changing so that all cloud services must have MFA? | All cloud services must use MFA to authenticate. If you have a cloud service that does not offer MFA then it is still possible to achieve Cyber Essentials, but all other questions must be compliant. | DigitalLoft240423 |
MFA | UA0055 | Regarding MFA, is a Breakglass account out of scope? | Breakglass accounts should still have a form of MFA applied, but should use an alternative method of MFA to other users. An example of MFA for a breakglass account could be logging into it from a trusted managed device. | DigitalLoft240423 |
MFA | UA0056 | Would be nice for NCSC to put pressure on Egress here which is used across the board with government, law enforcement etc. Sure with SSO it negates it to a certain extent as long as the identity provider then supports MFA but as standard Egress Protect should support MFA in this day and age. | The authentication method must use MFA. So if you can use SSO to authenticate through another cloud service that does provide MFA, this is acceptable and compliant. | DigitalLoft240423 |
MFA | UA0057 | Does it need to be traditional MFA? What about Windows Hello with the device as the 2nd factor? | A managed/enterprise device is acceptable. The top 4 methods in this article can be utilised. https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services | DigitalLoft240423 |
MFA | UA0064 | What about using methods such as SDA from Cisco for network segregation, is this allowed? A lot of organisations are adopting this type of technology and replacing network equipment to implement this technology. | This came up on the Technical Working Group and over the last year it has been looked into. We've got to be careful because we are completely vendor neutral within the scheme, so we can't call out proprietary systems used by Cisco. | DigitalLoft240423 |
MFA | UA0068 | Must all Cloud services have MFA? | All Administrators and all users of a cloud service must have MFA enabled. This requirement includes all student accounts. | UCISA |
MFA | UA0069 | Has anyone rolled out MFA to all Students? Any ideas on best practice in doing this would be helpful! | Answered in the chat | UCISA |
MFA | UA0070 | 26.25 The MFA to be brought in on the client portal - will this be required every time they log in? So for a third party IT company, they'll need to communicate with their client every time they wish to log in, or will nominated helper's emails also receive MFA code? | I think that the nominated helper will get the code for that one. For the first question there is a toggle I believe to do it so it's once in a period or every login, at the moment we're doing it every login, we'll see how that runs, and then I believe that the third party, so the helper, that cause they've provided that email address they will get the helper's login. I haven't tested it from a complete outsider point of view, the only way I've to test it so far is from the eyes of an assessor if they were asked as a helper, and that's how I tested it all. Feel free everybody to use the reference portal, the MFA should be on there, so have a play around with it and let us know if you have any questions. | AW230523 |
MFA | UA0071 | 26.18 Text said should, I read it as must. | Cloud services must have MFA enabled. | AW260423 |
MFA | UA0072 | 29.55 Would RSA using a soft token not be considered a form of MFA for a VPN connection now? | So as long as it meets one of the top four of the authentication factors as listed in the MFA blog by the NCSC, so that's using a managed enterprise device as an extra factor, using an app on a trusted device as an extra factor, using a physical extra factor, or using a known or trusted account as an extra factor, then that's what you're looking for, one of those, and we would expect you to use your knowledge and determination as an assessor to come up with whether that particular setup is compliant and there's quite a lot of advice in there, we do leave it open on purpose, so it would depend on what's written in there and if that matches what you're seeing. | AW260423 |
MFA | UA0073 | If a client puts No to A7.14/A7.17 due to not having cloud services would they still be able to select Yes if they have no cloud services but still have a policy to enable it? | There's no need for a policy here, It's only where cloud services are included in scope, we can look to update that. They can be answered yes or no and still be compliant, an answer of no can be marked as compliant for all of them if there's no cloud services listed in A2.9, we'd expect to see an assessor comment, if it was picked up in moderation that could be an oversight, we'll happily turn it to green if that's a failure point. I will look at speaking to Neil about getting the marking guide amended. The last marking guide, in Evendine we had this only where they're listed within scope of the assessment. | AW260423 |
MFA | UA0074 | I am looking at question A7.14 & reviewing all our Cloud Services. We use Workbooks CRM with Login Protection activated (Login Protection sends an activation link to users which they must click on before they can access the user interface from a new device on a recently-unseen IP address) would this be acceptable or should I look to implement Google two-step verification process also? | 0 | LinkedIn_280723 |
MFA | UA0079 | Montpellier question A7.17 talks about enabling MFA for cloud services. Our e-mail provider supports MFA for admin accounts, which we are already using, but it has no option at all for MFA on user accounts. However, the question guidance for A7.17 says “All users of your cloud services must use MFA” which we obviously cannot do. Is this permissible for CE, given that we have enabled all of the MFA options available to us? | This would be a Non-compliance for A7.17 but would not necessarily constitute a fail. | LinkedIn_280723 |
MFA | UA0084 | do you need to have 2FA enabled for your entire 365 tenant or can this be done a user by user basis? As we might need some basic exchange accounts for smtp feeds that cannot use authentication and wanted to check that this wasn't going to cause an issue with Cyber Essentials Plus at the next renewal. | As the entire Tenant is in scope of assessment for Cyber Essentials; MFA must be enabled on all accounts. | LinkedIn_280723 |
MFA | UA0085 | What does Cyber Essentials say about MFA and how should it be deployed and/ or implemented? | MFA is an important part of Cyber Essentials and you should implement MFA where available. Authentication to cloud services must always use MFA. | LinkedIn_280723 |
MFA | UA0089 | I have had an enquiry from a medium size charity that wants to use Google’s PassKey as a form of MFA. I asked IASME and they cannot advise as it is a technology. From my reading and If I understand it correctly, the argument is that | We will be discussing Google Passkey with NCSC. This technology was only released in public on the 23rd May 2023. We will be discussing further with the relevant NCSC subject matter experts. | YAMMER_280723 |
MFA | UA0090 | Looking for some advise on MFA in the education sector (Primary School) and if certain services would be in scope or not. The services are PurpleMash, TTRockstars, MyMathstery, Oxford Owl, RM Integris, ParentMail, ParentPay, MedicalTracker. Are these all cloud services or web portals that are out of scope. For example Parentpay and Parentmail have MFA enabled for staff but cannot be enforced for parents (although available). Others are education portals used by children as young as 5, therefore MFA even if available cannot be enforced on a 5 year old. Any feedback and guidance would be much appreciated. | Schools and Colleges are being advised to up their cyber security standards, please see the information supplied by the department of education, updated in March 2023. | YAMMER_280723 |
MFA | UA0093 | Just a quick question regarding question A7.17, 'Has MFA been applied to all users of your cloud services?'- For a school, does this requirement apply to students as well? | 0 | YAMMER_280723 |
MFA | UA0094 | I take it the use of API's is ok since the authentication methods don't allow for MFA. | Service Accounts: | YAMMER_280723 |
MFA | UA0095 | With the latest CE spec, I'm aware that if MFA is not available at all that is still currently acceptable. However, did Montpellier make it so that if MFA/SSO requires extra payment, clients are now required to pay or switch to a different service? | The position is if MFA is available either as part of the service or additional paid option then it needs to applied to be compliant. | YAMMER_280723 |
MFA | UA0100 | under the new cyber essentials rules what are your organisations doing to secure all cloud services with MFA? Has anyone recently gone through the audit process and passed under the new rules? | 0 | LINKEDIN_290923 |
PAM | UA0099 | Is it sufficient to just control the work profile on an Android device or must you have control of the whole device? | The controls must be applied to the device as a whole and not to a specific profile on the device. | LINKEDIN_290923 |
PASSWORDS | UA0061 | Is 12 character passwords enough in light of the latest Hive systems study? With no complexity, as dictated by the standard they can be cracked in 1 second with a 4090. | That is the current position as advised by the NCSC subject matter experts and should be taken as the minimum length to be compliant for internally hosted services. All cloud services must also use another factor. | DigitalLoft240423 |
PASSWORDS | UA0078 | Can anyone advise on how to protect an apple mac laptop from brute force attacks on logon (to meet Evendine A 7.10)? As a very small business a simple solution that doesn't require a high level of technical skill would be appreciated. Thanks in anticipation. | You must be making sure that passwords are protected against brute-force password guessing by implementing at least one of: | LinkedIn_280723 |
PASSWORDS | UA0081 | I'm trying to unpick the exact requirements for Passwords used to log into endpoints (ie Laptops) In Cyber Essentials: Requirements for IT infrastructure v3.1 Device unlocking credentials provides some straightforward guidance but then states "When the device unlocking credentials are also used for authentication, you must apply the full password requirements to the credentials described in ‘user access controls.’" When looking at this section this implies that to log into a device you must use one of the following:
*A minimum password length of at least 12 characters, with no maximum length restrictions
Have I correctly understood this? Or is "Authentication" referring to cloud services and not the device | The full section here reads as: | LinkedIn_280723 |
PASSWORDS | UA0082 | some of the guidance in the CE standard talks about there being no Maximum password length. For example Azure AD has a max length of 256 characters, would this be considered as "No maximum" and if so how long is long enough? | You should not be setting a maximum password length. | LinkedIn_280723 |
PASSWORDS | UA0088 | Does IASME / NCSC have a position on the continual use of Lastpass? With the leak and the continual vulnerabilities that are present unless the user changes them it is a bit alarming how many (inc MSPs) seem to be using the product. | CE is product agnostic and therefore do not currently provide any stance against a particular product. | YAMMER_280723 |
PASSWORDS | UA0091 | Draytek 286x series | The requirement for A4.3 is not about ensuring a maximum length of password is configured. It is simply about ensuring that the minimum requirements are met. | YAMMER_280723 |
PASSWORDS | UA0097 | Do you have a sample compliant password policy so we can make sure ours contains everything we need? | I am sorry, we can not provide this in line with CE, just make sure that as a minimum it follows the advice contained within the Cyber Essentials Requirements for IT Infrastructure. | QUESTIONS_300823 |