The NCSC revises Cyber Essentials but keeps its password guidance

Recognised as the authoritative voice on information security in the UK, the National Cyber Security Centre (NCSC) is the UK’s weapon in securing IT. The NCSC consolidates and replaces existing expertise, and indicates the prioritisation of cybersecurity on the national agenda.

The NCSC’s approved accreditation scheme, Cyber Essentials, provides a standardised baseline for cyber security policies, controls, and technologies. Cyber Essentials is mandatory for government contracts that involve handling personal information, or provisioning certain products and services.

The NCSC recently announced revisions to the Cyber Essentials scheme which is expected to go into effect on April 1, 2020. The revisions include the introduction of annual expiry dates on certificates, and a single cyber security delivery partner, rather than the existing 5 Accreditation Bodies. Currently there are no plans to change the technical controls.

The password guidance

The NCSC has been hard at work at simplifying its password guidance to make it easier for organisations to understand, and implement. You can find the official documentation in a few places: Requirements for IT infrastructure, or Password policy: updating your approach. Since the password requirements fall within the technical controls, there will be no further modifications leading up to the new cyber essentials scheme going into effect.

If you’re familiar with the above documentation, you’ll already know the importance of using a password list to block leaked passwords. The NCSC considers a password list to be a technical control that can help users avoid weak passwords. It is offered as an alternative to password complexity requirements. To help system owners with the task, the NCSC provides a list of the top 100,000 passwords from the Have I Been Pwned data set to audit user passwords.

Specops Password Auditor is the fastest way to check vulnerable passwords in Active Directory. The FREE tool can check user account passwords against the NCSC list, and other compromised password lists that have been leaked from notable breaches. Once you sign-up, you will receive a link to the downloadable Setup wizard. The entire installation process can be completed in just a few minutes.

Cyber essentials certification

As of 1 April 2020, Cyber Essentials certification will be issued with a 12-month expiry date. To streamline your certification process, the aforementioned password check needs to be integrated as a part of your ongoing IT process. If you are using Specops Password Auditor, you can upgrade to Specops Password Policy for continuous password breach checks. During a password change in Active Directory, the solution will check and block vulnerable passwords from being selected in the first place.

Don’t let weak passwords stand in your way.

Free Password Audit

Download Specops Password Auditor (Free) to identify breached passwords in your environment. Specops Password Auditor produces detailed security reports that can be shared with management for internal audits.

Download Specops Password Auditor

Find out how you can use Specops Password Auditor to run the NCSC’s pwned password list in Active Directory

Contact our password security specialists in the UK:

Submit your question

Call us: +44 (0)203 002 1877

(Last updated on October 5, 2023)

Tags: , , ,

darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog