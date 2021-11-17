



After the Department for Digital, Culture, Media and Sport (DCMS) announced plans to make compliance with a cyber assessment framework mandatory, a government crackdown on the UK MSP’s security practices is drawing ever closer.

Digital Minister Julia Lopez said in a prepared statement: “We are taking the next step in our mission to strengthen cybersecurity and encourage businesses across the UK to follow the advice and guidance of the National Cybersecurity Center to protect their businesses. We reduce our digital footprint and protect sensitive data.”

Some form of NCSC-accredited certification for Managed Service Providers (MSPs) and cloud companies will become mandatory in the medium term. They are a follow-up to a government consultation carried out over the summer to solicit views on regulating only MSPs.

But as a sign that the regulatory sands are changing, the government said in a public response this week that “all future policies must move away from their monopoly focus on managed services and take this broad range of digital technology providers into account.”

Better security for UK.gov appears to mean that MSPs and other cloud service providers must adhere to the NCSC-backed Cyber ​​Assessment Framework (CAF), or a framework based on it.

The feedback continued. “Many submissions expressed concern about the government’s intention to impose additional requirements across the UK digital sector. Developing definitions and setting clear boundaries between different providers of digital technology solutions, including cloud and managed services, are still ongoing. ​​It is a difficult task, the government.”

The industry told DCMS that they want more “normative requirements” than CAFs provide, including “official certification through audit” and “incident reporting obligations”.

If this is exactly what DCMS has been told, then Cyber ​​Essentials Plus could potentially become the default MSP/cloud security standard for UK businesses if DCMS adopts these requirements for compliance monitoring against its chosen security framework. There is this.

Cyber ​​Essentials (except Plus) is already the default security standard for government vendors, but is essentially a self-assessment checklist.

Meanwhile, the old UK Security Questionnaire advice isn’t really being used.

Graph showing that half of UK cloud service buyers do not use vendor security questionnaires

For buyers of MSP services, they were all in favor of more regulation (or if it’s going to be DCMS’s regulator), with an interesting warning to Big Tech.

The government’s focus on supply chain security has been reinforced by high-profile MSP attacks such as Kaseya in the US. MSP was compromised by attackers targeting VSA endpoints and network management tools, providing immediate visibility to most customers. In a similar recent attack, there have been a number of smaller attacks in which companies such as US network management company SolarWinds have been targeted by Russian spy agencies.

However, not all UK MSPs are committed to good security practices, as the lighter (but cautious) ransomware recovery story of 2019 reveals.

