Connect with us

Hi, what are you looking for?


Management & Strategy

UK Publishes Minimum Cyber Security Standard for Government Departments

The UK government’s Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.

The UK government’s Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.

It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes — but is not entirely devoid of specific instructions.

For example, Section 6_d _iv includes, “You shall register for and use the NCSC’s Web Check service.” Web Check is part of the NCSC’s Active Defense program. It is designed to check public sector websites for common vulnerabilities, and by this time last year was quietly scanning more than 1,200 government sites every day.

Other requirements include support for TLS v1.2, and the implementation of Domain-based Message Authentication Reporting and Conformance (DMARC) “to make email spoofing difficult”.

Another requirement (6_d_i) is that departments must, “Ensure the web application is not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities.” How that is ensured, like all requirements, is not specified.

For example, MFA is required (where feasible), but no specific factors or methods are described (7_b). It therefor allows for, but does not mention, evolving behavioral biometric factors.

This is by design. The document itself says, “As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context.”

Advertisement. Scroll to continue reading.

This lack of detailed prescription is welcomed by Sanjay Kalra, co-founder and chief product officer at Lacework. “This is especially important for organizations that operate workloads in the cloud,” he told SecurityWeek. “Where change is rapid and continuous; the appropriate cloud security measures require flexibility in their approach. In some ways, the Standard is similar in structure to GDPR, where the emphasis is on the outcome, but the guidelines for implementation allow for a common-sense approach that is flexible enough to allow for what works best for the organization.”

The publication is largely well-received by the security industry. Ilia Kolochenko, CEO of High-Tech Bridge (which offers its own web scanning service for both public and private industry), told SecurityWeek, “Simplicity and efficiency are successfully combined in the document. Today, many governmental entities don’t even know where and how to start cybersecurity, and this document will certainly help them structure and manage their digital risks and implement proper cybersecurity processes.”

It’s also exciting to see, he added, “some simple, but clear and effective, technical requirements such as proper TLS encryption and obligatory testing of web applications for OWASP Top 10.”

Matt Lock, director of sales engineers at Varonis, fears its simplicity is deceptive. “The minimum standards may sound simple on paper,” he told SecurityWeek, “but even large organizations may struggle putting these steps into practice.” Joseph Carson, Chief Security Scientist at Thycotic, adds, “As always, the questions for all of these standards will depend on the ability to enforce them.”

Carson also notes that securing the supply chain includes insistence that suppliers meet the UK Cyber Essentials level 6. H is somewhat concerned that the whole process could be “an indication that as the UK government prepares for the imminent Brexit, it is taking its own direction when it comes to cybersecurity. However, past incidents reveal that a cybersecurity strategy that does not extend beyond the country’s borders is doomed for failure as it assumes all cybercrime only occurs from within.”

Matt Walmsley, EMEA director at Vectra, notes the document is focused on the detection of known and common threats and attacks. “The really advanced attackers are well-resourced and highly motivated. They will use previously unseen innovative attacks that use both legitimate tools and zero-day vulnerabilities and exploits which will bypass traditional signature-based defense and detection approaches.”

By definition, he suspects that government departments will be targets for advanced attackers. “Given the UK government departments are likely targets for cyber-espionage, and politically motivated hacktivists as well as broader cyber-attacks, it is vital that they have the ability to detect and respond to advanced hidden attackers in short order, and with high efficacy.”

Mark Adams, regional VP, UK&I at Veeam Software, believes it is a great start for government, but government needs to do more to sell the standard across private industry. “What hope does a minimum cyber security standard have of being adhered to, outside of the government departments where it is made mandatory? Precious little, unfortunately… more must be done by the UK government to educate the private sector and make it realize that data protection and more secure data management is a necessity.”

U.S. security experts have been quick to see the parallels between the UK standard and NIST’s Cybersecurity Framework. “If you look at the HMG Security Policy Framework (SPF), referenced by the Minimum Cyber Security Standard,” Anupam Sahai, VP product management at Santa Clara, Calif-based Cavirin told SecurityWeek, “you’ll see that the overall structure is almost identical to the US NIST CSF — and for good reason. The five primary functions – Identify, Protect, Detect, Respond, and Recover – are universal. Where the HMG SPF needs to go next is to map the high-level guidance to the more detailed UK-specific references, as they are mapped in the CSF. In parallel,” he adds the UK has launched an Active Cyber Defense program, which in fact could serve as a template for the US.”

Lock also makes a comparison with the NIST framework. “The NIST Framework emphasizes the protection of data, provisioning access to a least-privilege “eyes-only” model, and continuous improvement among other key areas. And like the U.S. model, the Standard calls for continuous improvement, as organizations must be ready for the next at

All told, the general consensus is favorable. The Minimum Security Standard is mandated for government, but also provides a valuable framework of private industry — paralleling NIST in the U.S. Kolochenko sees even further value. “The UK,” he said, “serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow.”

Related: NIST Denounces SMS 2FA – What are the Alternatives? 

Related: DHS Publishes New Cybersecurity Strategy 

Related: Intelligence Committee Outlines UK’s Offensive and Defensive Cyber Posture

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.