back to article Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak

Security standards for defence contractors have been lowered thanks to the coronavirus outbreak, Britain's Ministry of Defence has told its suppliers. In an Industry Security Notice published to an obscure corner of GOV.UK, the ministry said it is suspending the need for its suppliers to have the Cyber Essentials Plus security …

  1. Mike 137 Silver badge

    Cyber Essential levels

    The two levels of Cyber Essentials should really be called Cyber Essentials Very Basic and Cyber Essentials Basic, as neither ensures continuing resilience against cyber attack. The best on offer is an "MOT test" of following some specific rules, and at the "higher" level also passing a pen test on a given occasion.

    When Cyber Essentials was in its infancy I recommended verification of the maturity (on the lines of CMM) with which the specified controls are managed. I got no traction, despite most cyber breaches primarily succeeding due to lax management rather than not having controls notionally in place (witness Equifax).

    It's also worth noting that despite all the publicity about the insecurity of Zoom, both government agencies and others to my knowledge conferencing at Secret and Top Secret levels are still using it.

    So much for cyber security.

  2. Anonymous Coward
    Anonymous Coward

    My last place got Cyber Essentials (3 to 4 odd years ago) purely by ignoring half the network and systems and getting HR to fill the form in.

    Without someone actually checking that what you have said you do is what you do its just a box ticking exercise where you always give the expected answer. How can you fail...

    Also paying a company to do a check is also questionable as its in thier interest for you to pass and to keep paying them... Not sure how you get around this one though!

    1. jeremylloyd

      It's not in the CB's (Certifying Body's) interest to pass failing companies, as if they get caught out they will be thrown off the certification scheme. They would also be breaking the contract with IASME and the NCSC.

  3. jeremylloyd

    Actually, CE+ assessments can be done, and are being done, remotely if there is VPN access for the VA scan, and remote desktop access for the anti-malware tests.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like