Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak
Can't get assessors on-site to check SMEs' antivirus updates
Updated Security standards for defence contractors have been lowered thanks to the coronavirus outbreak, Britain's Ministry of Defence has told its suppliers.
In an Industry Security Notice published to an obscure corner of GOV.UK, the ministry said it is suspending the need for its suppliers to have the Cyber Essentials Plus security certification.
"Organisations obtaining or renewing CE+ for a future contract will need to provide a Cyber Implementation Plan. This should inform Defence that the supplier is committed to seeking CE+ but cannot do so due to travel restrictions resulting from COVID-19," said the notice.
It added that it applies across the board to all MoD suppliers "where the Cyber Risk Profile is Low, Moderate or High." The suspension is because passing CE+ needs an on-site visit from an external assessor, something difficult to achieve while properly obeying COVID-19 social distancing advice from the government.
While CE+ (and its less stringent junior brother, Cyber Essentials) is more of a baseline certification than the infosec equivalent of building Fort Knox, it is mandatory for companies bidding on certain government contracts – including many MoD ones.
Assessors also do some basic pentesting and vuln-scanning as well as individual device configuration checks, as a sample CE+ test spec from the National Cyber Security Centre shows [PDF].
An MoD press officer didn't respond to The Register's questions.
Trust these guys, they only got breached once
Separately, in early April, the NCSC handed an exclusive contract to certification consortium IASME.
IASME is now the sole organisation that can award Cyber Essentials certifications to British SMEs, the number of awarding bodies having been slashed from five to just one with the new contract. A jubilant IASME beamed on its blog that NCSC handed it the keys to the cyber certification kingdom because of previous "confusion" in industry.
"The scheme, which is an important part of the NCSC's portfolio, teaches businesses how to protect themselves from the most common internet based cyber threats and reassure their customers that cyber security is taken seriously," intoned IASME. One expects the highest standards of a body trusted with such a serious duty, right?
Er, about that. Three years ago IASME was the subject of a data breach. A hacker discovered a config error in an IASME software platform which allowed them to extract names and email addresses of key security personnel belonging to companies seeking CE certification.
"This situation was not only preventable; it was actually made by the company through poor installation and configuration," a cyber security expert told us at the time. Let's hope IASME has tightened up its act since then. ®
Updated at 09:03 UTC on 22 April 2020 to add:
Since the publication of this story, the MoD has got in touch to say: "We’ve made temporary changes to our Cyber Security Model to help potential suppliers, who may find it hard to get CE+ if external certifiers cannot carry out certification away from their offices. Suppliers still need to get CE and meet other risk-based proportionate controls."