The NCSC revises Cyber Essentials but keeps its password guidance
(Last updated on February 26, 2020)
Recognised as the authoritative voice on information security in the UK, the National Cyber Security Centre (NCSC) is the UK’s weapon in securing IT. The NCSC consolidates and replaces existing expertise, and indicates the prioritisation of cybersecurity on the national agenda.
The NCSC’s approved accreditation scheme, Cyber Essentials, provides a standardised baseline for cyber security policies, controls, and technologies. Cyber Essentials is mandatory for government contracts that involve handling personal information, or provisioning certain products and services.
The NCSC recently announced revisions to the Cyber Essentials scheme which is expected to go into effect on April 1, 2020. The revisions include the introduction of annual expiry dates on certificates, and a single cyber security delivery partner, rather than the existing 5 Accreditation Bodies. Currently there are no plans to change the technical controls.
The password guidance
The NCSC has been hard at work at simplifying its password guidance to make it easier for organisations to understand, and implement. You can find the official documentation in a few places: Requirements for IT infrastructure, or Password policy: updating your approach. Since the password requirements fall within the technical controls, there will be no further modifications leading up to the new cyber essentials scheme going into effect.
If you’re familiar with the above documentation, you’ll already know the importance of password blacklisting. In short, the NCSC considers password blacklisting to be a technical control that can help users avoid weak passwords. It is offered as an alternative to password complexity requirements. To help system owners with the task, the NCSC provides a list of the top 100,000 passwords from the Have I Been Pwned data set to audit user passwords.
Specops Password Auditor is the fastest way to check vulnerable passwords in Active Directory. The FREE tool can check user account passwords against the NCSC list, and other compromised password lists that have been leaked from notable breaches. Once you sign-up, you will receive a link to the downloadable Setup wizard. The entire installation process can be completed in just a few minutes.
Cyber essentials certification
As of 1 April 2020, Cyber Essentials certification will be issued with a 12-month expiry date. To streamline your certification process, the aforementioned password check needs to be integrated as a part of your ongoing IT process. If you are using Specops Password Auditor, you can upgrade to Specops Password Policy for continuous password breach checks. During a password change in Active Directory, the solution will check and block vulnerable passwords from being selected in the first place.
Don’t let weak passwords stand in your way. Try our free tool to get started.