Security Update FAQ Source
- Joe Checketts
|
|
|
|
|
|---|---|---|---|---|
BYOD | UM0001 | Is M365 InTune MAM-WE enough for BYOD device management? We can ensure devices are up to date, not jailbroken and have a pin BUT we do not have control over the apps installed on the device. However, as MAM-WE sandboxes the business data and has controls to stop personal/business being copy/pasted/mixed, is that enough to comply with the control? | The controls of Cyber Essentials have always required that they are applied by technical configuration. For BYOD devices the same controls need to be applied requires that you use a mixture of technical and written control to apply. Most important is to monitor and understand that any BYOD device in use must be running a supported operating system. | DigitalLoft240423 |
AUTO-UPDATES | UM0002 | With regards to auto updates and manual updates, iOS, MacOS even on auto-update will not update within 14 days without a full featured MDM, Given that you can now say we use auto-updates, is this policy OK for Apple devices given that they don’t have to list version number. | Setting operating systems and software to 'Auto Update' is acceptable to meet the update requirement | AW260723 |
BETA_VERSIONS | UM0003 | Good Morning. I have a client who is undertaking Cyber Essentials. They have listed an iPhone on iOS17.0 as this device has been enrolled in Beta Testing with Apple. As this iOS is still in testing with Apple, does this mean that this device would be considered non-compliant until 17.0 is in full public release and fully patched/supported? | Beta Software is not compliant with the control that requires all software to be supported and receiving security updates. Beta software does not recieve support or security updates as outlined by the software providers in their published terms and conditions, and this true of the case for iOS beta software . | LinkedIn_280723 |
BETA_VERSIONS | UM0004 | Do you have a link where MS say they do not support vulnerabilities for the Preview OS, we are getting a lot of pushback from MSPs who are a MS Partner. | Yes we do have that and will provide it for you, but as said previously beta, preview versions are not compliant. If they want to run them, fine, but they must segregate them. - User terms for windows 10 licensing, in the preview section additional notices para14 D and then 4. You may use previews only up to the expiration date.. you may not be eligible for any support, MS not liable, - this statement determines that it is not supported, | AW260723 |
BYOD | UM0005 | For BYOD, is IOS 15 (for example iPhone 7) still allowed? | iOS 15 is considered compliant as long as it is on the latest version 15.7.5 (April 12th) | CHANGES 280423 |
BYOD | UM0006 | For BYOD, is it mandatory for people to have automatic updates enabled? | Automatic updates should be enabled where possible is the requirment. A manual update process is allowable but he updates must be applied within 14 days. For BYOD devices using the built in option to use auto updating is the easiest option to keep these devices compliant. | CHANGES 280423 |
BYOD | UM0007 | How do we enforce BYOD to ensure all OS updates are installed and on the latest OS? | There are MDM systems available that can automatically block non-compliant devices from accessing networks, and you can use this technical control along with a policy to ensure that any BYOD devices accessing the network are up to date. | LITIG_050623 |
DEVICE_INFO | UM0008 | Conditional Access policies don't list the 'Make' of the endpoint so are they no longer sufficient for BYOD ? | Many conditional access policies will provide the make of the endpoint. Consult the documentation. | CHANGES 280423 |
DEVICE_INFO | UM0009 | Regards user devices, reporting "Device and Operating System" - do we also need to supply operating system patch/build level? | You will need to give enough information for the assessor to be able to ascertain that the OS is still licensed and supported. For Windows 10 devices you will need to include the version and edition details. For Macs you will only need to include the codename (eg Ventura). For Android or iOS only the major number (for example: iOS16 or Android 12). The level of detail required will vary because the vendors all have different timescales and naming conventions. More information is available on the vendor information pages in the CE Knowledge Hub - insert link here. | CHANGES 280423 |
DEVICE_INFO | UM0010 | What's the view on rapid security responses for iOS and MacOS? Version numbers are not required but how do we ascertain this as being applied? | You can't, is the short answer. You can only get this information if it's divulged by the applicant - for MacOS anyway, because you're not required to provide the version number. IOS and iPadOS they still provide version numbers. As long as the information that is asked for is provided and indicates compliance that is enough for the scheme. | AW_230523 |
FIREWALLS | UM0011 | What is the time frame for firewalls? is it still within 14 days for firmware? Or within the last year? | All high and critical firmware updates must be applied within 14 days on network equipment that is in scope of the assessment. | DigitalLoft240423 |
FIREWALLS | UM0012 | Why would you only ask for the make and model of firewalls and not ask for the version of firmware running on the firewall? Seems a huge oversight to me as a firmware hardware could be current and supported but it could be running a version of firmware that has known vulnerabilities? | Make and OS for devices/servers were decided on to encourage applicants to gain a better understanding of their estate. | DigitalLoft240423 |
FIREWALLS | UM0013 | If a Linux firewall OS is used (not a hardware firewall), what make/model/OS info is needed? | The required information would be make and operating system. | DigitalLoft240423 |
FIREWALLS | UM0014 | So if a firewall's last firmware update was 6 months ago, it's a fail as its no longer supported by the vendor, it must be within 14 days? | The requirement is only that the update must be applied within 14 days. So as long as the vendor still supports the firewall and it receives regular security updates then it would be compliant. Advice - If a firewall has not had any new firmware updates after 6 months, check with the supplier if the device is still supported. Due to the number of vulnerabailites being discovered, vendors are increasing the frequency of firmware updates. | DigitalLoft240423 |
FIRMWARE | UM0015 | I've always checked that firmware is up to date on end user devices. bios etc because these days windows update will typically list updates if needed but i've been speaking to someone here who believes we no longer need to do this in the new version.
| The official position for CE is to concentrate on the Desktops/Laptops/Servers running a supported operating system. The definition of software has been updated in the CE requirements document to reflect this change. The only devices which need to be checked for supported firmware is Firewalls and Routers. This position has been communicated via the Montpellier update training and various blogs published by IASME and NCSC. | YAMMER_280723 |
FIRMWARE | UM0016 | A6.4.1 Auto-Updates Operating System: Does this also apply to auto-updates for a router firmware? | This question is specifically asking if all updates for operating systems are applied be enabling auto updates. For Cyber Essentials the firmware of a firewall or router is considered to be its operating system and the 14 day requirement applies. If the firmware updates can be applied automatically that can be an option to install. If you choose a manual update process the updates must be applied within 14 days of release by the vendor. | LinkedIn_280723 |
FIRMWARE | UM0017 | At what point does hardware like Routers (for example from Netgear) get rejected? | The vendors of products set the lifecycle of a product such as the firewall. Due to the nature of Firewall devices being security devices it is normal practice that a Firewall device has a shorter lifcycle and this often 3 to 4 years. In order to meet the supported and receiving security updates requirement, these devices will need to be replace when the vendor has stopped supporting them to be compliant for Cyber Essentials. | LinkedIn_280723 |
FIRMWARE | UM0018 | Are firmware updates (bios)? no longer a requirement for end user devices anymore then if devices are not needed to be in support? | Yes, we've changed the definition in the requirements document. Version 3.0 just said all firmware was classed as software. We've now changed that to router and firewall firmware as being in scope, and is part of the software definition. Firmware on your laptops & desktops, smartphones, tablets and servers is not included in the definition. It no longer needs to be updated and provided with those updates at the present time. Often with Windows 10 and 11 you are getting firmware updates anyway. They are most of the time now published through operating system updates. That's certainly correct in the tablet and mobile phone worlds so that's why we state they must have a supported operating system. If they don't have it, they're not going to get those updates anyway. But this is particularly difficult in the desktop, laptop world to track firmware. | DigitalLoft240423 |
FIRMWARE | UM0019 | Hi. Do we need to list firmware versions of Firewalls and Routers? Or Make and Model is adequate? | For laptops, desktops , servers, and mobile (smartphones and tablets) the requirement is to provide make and operating system. For firewalls/routers, it's make and model. | DigitalLoft240423 |
FIRMWARE | UM0020 | With the change to no longer requiring endpoint device model, does that allow organisations such as schools and charities to "sweat" older assets such as laptops, etc that may no longer be supported by a vendor, PROVIDED that the operating system is up-to-date and supported? | As long as that device can run one of the latest feature releases for Windows 10 or Windows 11, that is allowable. The firmware of the device is particularly difficult to keep up to date and monitored, but there's some research being done within the NCSC to see whether that firmware is under attack from commodity Internet attacks (the easy, low-skilled attacks). At this time it was decided that we would concentrate on make and operating system. So if devices can support the latest version of Windows 10 22H2, or one of the latest versions of Windows 11, that is acceptable. | DigitalLoft240423 |
MOBILE | UM0021 | A client has just bought a load of Panasonic mobiles and panicking that they won't pass when Android 11 becomes EOL. They've said they won't run Android 12. | Definition of licensed and supported software: | YAMMER_280723 |
MOBILE | UM0022 | Some of our Mobile phones (Samsung A41), no longer receive One UI firmware updates, but it's still getting security patches on a biannual schedule. Would the security patch be enough to pass an audit or does the device have to be fully supported. | This would be still considered a regular update, so it would be compliant with the standard and would pass the audit as long as it updated. | LinkedIn_280723 |
MOBILE | UM0023 | For mobile devices how would you recommend dealing with devices that are not used regularly e.g. we have some staff who may leave a phone unused for more than 14 days and therefore miss the target for updates as they are not online and checked in | The simple answer here is, before they're actually used, the first job when they're switched on is to apply updates as soon as possible. | DigitalLoft240423 |
OS | UM0024 | Do I have to request more information if an applicant forgets to put the make of their phone or laptop - but puts the operating system version? It would seem a little pointless to send it back, as whatever they come back with would make no difference to the outcome. | The assessment requires the Make and operating systems details. The process of carrying out asset management review is an important part of the assessment process, and guidance has been added to the Cyber Essentials requirements document. It is important for any applicant organisation to understand the quantity of devices and the operating systems, in order for them to understand if they are still supported and to which devices need the controls applying. | YAMMER_280723 |
OS | UM0025 | Any guidance on Linux? | Each flavour of Linux is slightly different, but we would recommend going to the vendor websites to get clarity on their lifecycle. | DigitalLoft240423 |
OS | UM0026 | So if you have virtual infrastructure which is hosted on a server array, you only need to give Make and Operating System? i.e HP make, O/S Vmware VCF | You would also need to include the end user devices that are interacting with those services.(So if you have virtual infrastructure which is hosted on a server array, you only need to give Make and Operating System? i.e HP make, O/S Vmware VCF) | DigitalLoft240423 |
OS | UM0027 | What is Windows 10 Business Edition? Is it the same as Professional? |
| AW260723 |
OS | UM0028 | When Windows 10 goes out of support and Windows 11 is required, will anyone without a TPM be required to update them? |
| AW_230523 |
SERVERS | UM0029 | What about servers? Do they just need make and OS? | The level of detail required for Servers is Make and Operating System | UCISA_110523 |
SERVERS | UM0030 | For servers you claim that you are only interested if it is running a supported operating system. But surely the server software (eg web server) must also be supported by your general principle that software be supported. | For Servers they must be running a supported operating system, all software installed on in scope devices must also be supported. | UCISA_110523 |
SOFTWARE | UM0031 | For software dev (like python), there are often many 3rd packages from repos, how does this fit CE for keeping up-to-date? | If the repos are supported, that's fine. When using non supported ones, they'll have to be used on a different VLAN or a network segment which is where they are taken out of scope of Cyber Essentials. We have a lot of discussions with developers about this and we know that there are unsupported software development tools, because their clients are asking them to support. Older software systems will have to be on a VLAN or network segment that will need to be taken out of scope. | DigitalLoft240423 |
SOFTWARE | UM0032 | What about software where the vendor gives no indication about support periods, and where no new release has happened in a year or two? | That would be considered as unsupported and up to the applicant to prove otherwise if they disagree. | DigitalLoft240423 |
SUPPORT | UM0033 | Do you have a list of unacceptable hardware units, where the OEM has locked out users from certain security features? | No - the stipulation is that is must be able to run a supported OS. Providing specific product guidance is outside the scope of CE. | CHANGES 280423 |
SUPPORT | UM0034 | Some medical devices rely on operating systems and software that is no longer supported but these devices are essential to carry out key tasks. Can you suggest a way to make such medical devices compliant or can they never attain CE? | The devices themselves would never be compliant for CE. What we would see most people doing with these, is put them into a subset and then cut all inbound and outbound Internet connections at the boundary of that subset. That's what we've seen most organizations do that have these sort of unsupported operating systems tied to medical equipment. Now they can still communicate across that boundary to in-scope devices, that's still possible, but as long as all inbound and outbound Internet connections are cut at the boundary of that subset then that would be absolutely compliant.You wouldn't have to descope them in the scoping statement and you could scope a school organization too. | CHANGES 280423 |
SUPPORT | UM0035 | We do have Android mobile devices which has the latest OS but everytime we renew CE some of these devices marked as EOL from manufacturer. do you know where we can get the listing of EOL devices? | Android publishes regular security bulletins at https://source.android.com/docs/security/bulletin/asb-overview, currently supported versions are 11 upwards | CHANGES 280423 |
SUPPORT | UM0036 | What is the definition for an out of support application. If the vendor has not officially stopped supporting an application? | Supported' in this context means that the vendor is providing regular security updates and has published the date at which these updates will stop being provided. | CHANGES 280423 |
SUPPORT | UM0037 | With operating systems such as Windows Server 2012/R2 becoming EOL this year, will an organisation still be compliant for Cyber Essentials if they are running in Azure where they will receive Extended Security Updates? | Yes, as long as the OS is licensed and supported (meaning that is receives regular security updates) this would be acceptable. When filling in your application, please make sure you highlight you are on the ESU plan so that the assessor can take this into account. | CHANGES 280423 |
SUPPORT | UM0038 | What is the take for Window 11 Enterprise Insider Preview 22H2 as an supported OS for an IT Managed Service organisation? They get regular updates and security patches. Microsoft information around this is titled around "The Windows Insider Program for Business". Is there any reason this is non-compliant? | Scoping – Preview / Beta Builds
| YAMMER_280723 |
SUPPORT | UM0039 | Windows Server 2012/2012r2 upcoming end of support October 2023. If a subscription to Software Assurance and Extended Security Updates are purchased and applied - will this OS be compliant for CE following this date? | If you have purchased the Extended Security Updates then this would be compliant. | LinkedIn_280723 |
SUPPORT | UM0040 | A client of mine has about a third of their company phones running Android version 10, which has been out of support for about a month. Those phones are not upgradable to Android 11. Is this an automatic failure of Cyber Essentials certification? | This would be a failure of the Self-Assessment as that version of Android is considered unsupported. | LinkedIn_280723 |
SUPPORT | UM0041 | Is Ubuntu 18.04.5 considered to be EOL? | Ubuntu has it’s own wiki which lists all its versions and lifecycles which you can find here: | LinkedIn_280723 |
SUPPORT | UM0042 | Do you have a list of unacceptable hardware units, where the OEM has locked out users from certain security features? | No - the stipulation is that is must be able to run a supported OS. Providing specific product guidance is outside the scope of CE. | CHANGES 280423 |
SUPPORT | UM0043 | Some medical devices rely on operating systems and software that is no longer supported but these devices are essential to carry out key tasks. Can you suggest a way to make such medical devices compliant or can they never attain CE? | The devices themselves would never be compliant for CE. What we would see most people doing with these, is put them into a subset and then cut all inbound and outbound Internet connections at the boundary of that subset. That's what we've seen most organizations do that have these sort of unsupported operating systems tied to medical equipment. Now they can still communicate across that boundary to in-scope devices, that's still possible, but as long as all inbound and outbound Internet connections are cut at the boundary of that subset then that would be absolutely compliant.You wouldn't have to descope them in the scoping statement and you could scope a school organization too. | CHANGES 280423 |
SUPPORT | UM0044 | We do have Android mobile devices which has the latest OS but everytime we renew CE some of these devices marked as EOL from manufacturer. do you know where we can get the listing of EOL devices? | Android publishes regular security bulletins at https://source.android.com/docs/security/bulletin/asb-overview, currently supported versions are 11 upwards | CHANGES 280423 |
SUPPORT | UM0045 | What is the definition for an out of support application. If the vendor has not officially stopped supporting an application? | Supported' in this context means that the vendor is providing regular security updates and has published the date at which these updates will stop being provided. | CHANGES 280423 |
SUPPORT | UM0046 | With operating systems such as Windows Server 2012/R2 becoming EOL this year, will an organisation still be compliant for Cyber Essentials if they are running in Azure where they will receive Extended Security Updates? | Yes, as long as the OS is licensed and supported (meaning that is receives regular security updates) this would be acceptable. When filling in your application, please make sure you highlight you are on the ESU plan so that the assessor can take this into account. | CHANGES 280423 |
SUPPORT | UM0047 | A question about software with no explicit support date: Does this include software used by students to complete assignments and such? That is nothing related to business/research activity? | If the software is installed on a scoped device then yes, it would need to be supported. | DigitalLoft240423 |
SUPPORT | UM0048 | What does "supported" mean in the context of open source software? | Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular updates or patches. The vendor must provide the future date when they will stop providing updates. (Note that the vendor doesn’t need to have created the software originally, but they must be able to now modify the original software to create updates). Open Source software is acceptable as long as regular security updates are made available and there is a published end of life date. | DigitalLoft240423 |
SUPPORT | UM0049 | What about if software is created in house? | ? | UCISA_110523 |
SUPPORT | UM0050 | What is the status of software that has no vendor? I'm still looking for an answer for the open source question. | Further discussion will take place regarding open source software and the level of support at the CE Technical working group. | UCISA_110523 |
SUPPORT | UM0051 | Android 10 is still being supported by a certain manufacturer. | With certain devices there are ‘zombies’ - it meets the definition of licensed/supported software, that is fine. Because Android is still considered an open source OS. | AW260723 |
SUPPORT | UM0052 | For laptops, what's the reason if a Dell or ASUS to declare a supported version of Windows, what value does that bring? | I agree, I don't think it brings value to it at all, but that is what we're being told to ask for. Reason is, remember we used to be make and model, and that was the bargaining that happened, that was where we got to, that you could drop the model and just add the make. Now the reason is and I suppose it's a good idea is for things like Teams phones, that's where you can ascertain whether they're actually running on Android or whether they're running their own sort of proprietary operating system that is supported and that we see on the Teams IP desk phones. THat's the reason, we can't have one rule for desk phones and loads of different rules for the other, that's the decision that was made, we will obviously take any feedback, please just raise a ticket and that will go to our central feedback, the more feedback we've got saying why are you doing this. For large orgs it was too hard for them to identify their assets, but everything was done technically through an MDM or similar and that was a level of detail they could get. Whether it adds value or not is not the question, that was the agreement that was made and that's what we're gonna go to. | AW260423 |
SUPPORT | UM0053 | Windows 10 LTSC channels if they're supported and regular updates are being provided, as long as theyre still supported by Microsoft they are considered compliant. | 0 | AW260423 |
SUPPORT | UM0054 | Is Chrome 106 considered supported? | No it's not LTSC, it's not LTS and there have been several versions since, so no, it's not. So if it's LTS it is considered compliant, the latest version of that is 108. LTC and LTS releases, LTC release date 8th December 22 and LTS release 9th March 23, essentially that is the oldest Chrome OS that's considered compliant with the scheme and at the moment everyone should be be running 112 with the Stable release. Chromium Dash gives you all the information you need about Chrome browser and Chrome OS, it's quite a handy little dashboard. | AW260423 |
SUPPORT | UM0055 | ESXi 6 and ESXi 7 are still in support? | Use the links that we provide to determine whether ESXi is supported or not. You as the assessors have this knowledge and experience, you're capable of checking a website to determine whether something's supported or not. | AW260423 |
SWITCHES | UM0056 | What about switch firmware? | Switches are not included in the scope of a CE assessment. The firewall controls apply to: boundary firewalls, desktop computers, laptops, routers, servers, IaaS, PaaS, SaaS | CHANGES 280423 |
TPM | UM0058 | In the States they are permitted to use TPM1.2 as they have so many that are not compliant. | We can only go off information that is publicly available and that we can find, and the information that we see or have seen so far (if you can provide us with further, please do so) is that it's TPM2 only. | AW_230523 |
SERVERS | UM0059 | If we have a system that runs on windows server 2012 r2, what would be our options when mainstream support is withdrawn, to get CE certified? | you have 2 options here if you don’t want to upgrade to a supported operating system. | LINKEDIN_290923 |
DEVICE_INFO | UM0060 | We have a large window estate, and our inventory tooling is showing a handful of out of date Windows version because these employees are out on sick leave and have not turned their devices on and connected to automatically receive the updates. How should this be handled when submitting the Cyber Essentials Questionnaire ? Can we exclude these devices ? | This would be similar to a furloughed employee: | LINKEDIN_290923 |
DEVICE_INFO | UM0061 | My company has a number of environmental monitoring equipment which requires a PC software to be installed such that we can download the data from the equipment and do simple analysis. As the equipment is more than 10 years old now, the bundled software has not been updated for a while. Does it violate the requirement of A6.2 All software used by your organisation must be supported by a supplier who provides regular security updates? Note that the software should have no interaction with the Internet. Thank you | Yes, this would violate the requirement of A6.2, to be compliant this would need to be placed into a compliant subset using a firewall or VLAN however this would mean your scope would not be the whole organisation. | LINKEDIN_290923 |
SUPPORT | UM0062 | Please can you confirm if a mobile phone operating Android 10 software, would be in scope for Cyber Essentials accreditation. | Google actively supports the latest three versions with security updates, but not all manufacturers will support each version across all devices. | LINKEDIN_290923 |
MOBILE | UM0063 | Some of our Mobile phones (Samsung A41), no longer receive One UI firmware updates, but it's still getting security patches on a biannual schedule. Would the security patch be enough to pass an audit or does the device have to be fully supported. | This would be still considered a regular update, so it would be compliant with the standard and would pass the audit as long as it updated. | LINKEDIN_290923 |
14_DAYS | UM0064 | What happens if a system is not updated due to staff absence (e.g. holidays or sickness)? | The system must be updated as soon as the staff member returns and before being used to access any organisational data or services. |
|