UK government enforces minimum standards for cyber security

Government departments have autonomy in how they comply with the new rules

The UK government has published its first attempt at setting a minimum cyber security standard for public sector organisations: the inventively-named Minimum Cyber Security Standard (MCSS), which will be incorporated into the Government Functional Standard for Security.

All government departments (including ‘organisations, agencies, Arm's Length Bodies and contractors') are required to follow and preferably exceed the MCSS. The standard will be updated over time to continually raise these bodies' levels of cyber-preparedness.

The document is divided into 10 sections over five categories: Identify, Protect, Detect, Respond and Recover. The authors have used broad brush strokes to describe preferable outcomes (i.e. clear lines of responsibility and accountability to named individuals); departments are mostly autonomous when it comes to the means by which they achieve compliance.

This is by design. The document states: ‘As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context.'

It continues, ‘Compliance with the standards can be achieved in many ways, depending on the technology choices and business requirements in question.'

For example, multi-factor authentication is required ‘where technically possible' (7.b), but the document doesn't go as far as defining a particular technology or vendor.

There are, however, some sections that do define certain technologies and services. Section 6.c.i says that email must be sent and received using Transport Layer Security (TLS) v1.2, and 6.d.iii requires the same for protecting data in transit.

Unfortunately, TLS 1.3 began rolling out three months ago and is expected to be ratified soon; we hope that most government departments will go beyond TLS 1.2 as soon as they are able.

We recently spoke to David DeSanto, technical product leader and security researcher at Spirent, about TLS 1.3. He told us:

"Large enterprises need to make sure that they're cognisant that [the transition to TLS 1.3] is going on; that the security vendors that they rely on...are all dealing with this today. They should have open conversations with them...to make sure that they're configuring themselves to be secure during this transitionary period."

Mike Trevett, UK&I director at FireEye, welcome the government's introduction of a minimum set of standards. He said:

"The domain structure helps to bolster the simplified approach - Identify, Protect, Detect, Respond, Recover. With breaches becoming inevitable, organisations need to not only to set defences and identify attacks, but crucially to have a really clear understanding of what to do in the event of a breach - every organisation needs to have a really clear incident response plan that's well tested and regularly rehearsed.

"Following these standards will take an organisation a long way towards a goal of becoming cyber-resilient."

Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek, "The UK serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow."